S0078: Psylo
Psylo is a shellcode-based Trojan that has been used by Scarlet Mimic. It has similar characteristics as FakeM. [1]
Analyst context for executives and security teams
Psylo matters because ATT&CK describes it as a Windows, shellcode-based Trojan associated with Scarlet Mimic and linked to behaviors that support discovery, command-and-control, tool transfer, stealth through timestamp manipulation, and exfiltration over the C2 channel. For leaders, the practical question is not whether a tool named Psylo is seen, but whether Windows endpoint, web-traffic, and file-system telemetry would expose a similar intrusion before data leaves the environment.
Executive priority
Treat this as a coverage-validation use case for managed detection, incident response readiness, and audit evidence around endpoint visibility and outbound traffic control. Because ATT&CK provides no official detection text and no explicit tactics on the malware object itself, priority should be placed on proving that core controls can detect the related behaviors: unusual web-based C2, unexpected file transfers, file and directory enumeration, timestomping, and possible exfiltration over an established C2 channel.
Technical view
Validate coverage on Windows systems for the ATT&CK relationships supplied for Psylo: T1071.001 Web Protocols, T1105 Ingress Tool Transfer, T1083 File and Directory Discovery, T1070.006 Timestomp, and T1041 Exfiltration Over C2 Channel. SOC and IR teams should focus on behavioral correlations rather than malware-name matching: a suspicious process communicating over web protocols, followed by file-system enumeration, downloaded tools or payloads, abnormal timestamp changes, and outbound data movement over the same channel.
Likely telemetry
- Windows endpoint process execution and parent/child process context
- Endpoint file creation, modification, and metadata/timestamp changes, including evidence useful for timestomp review
- File and directory enumeration activity from host telemetry where available
- Web proxy, firewall, and network connection logs for outbound HTTP/S or web-protocol traffic
- Evidence of downloaded or transferred files from external systems into Windows hosts
Detection direction
- Do not rely on a Psylo signature alone; ATT&CK provides no official detection guidance for this malware object.
- Correlate web-protocol outbound connections with suspicious Windows process behavior and subsequent file discovery or tool transfer activity.
- Review timestamp anomalies where file create/modify/access times appear inconsistent with surrounding directory contents or expected software installation patterns.
- Tune detections to reduce false positives from legitimate software updates, administrative file transfers, backup tools, indexing, and security scanners.
- Use the Scarlet Mimic relationship as threat-intelligence context, but avoid assuming attribution from telemetry alone.
Mitigation priorities
- Prioritize Windows endpoint monitoring and response controls capable of capturing process, file, and network context.
- Restrict and monitor outbound web traffic where business processes allow, including proxy inspection and egress policy enforcement.
- Control unauthorized tool transfer through application control, download restrictions, and alerting on unusual external file retrieval.
- Preserve file-system metadata in IR procedures so timestomping can be investigated rather than overwritten or lost.
- Maintain incident response playbooks for suspected C2 plus exfiltration scenarios, including containment, evidence preservation, and outbound traffic review.
Analyst notes and limits
The strongest decision value comes from the ATT&CK relationships, not the short malware description. Psylo is described as Windows malware used by Scarlet Mimic and similar to FakeM, but the supplied data does not include aliases, labels, explicit malware tactics, indicators, procedures, or official detections. Local environment baselines are required to distinguish malicious web traffic, file enumeration, timestamp changes, and tool transfer from normal administrative activity.
This take uses only the supplied ATT&CK STIX fields, external references, and relationships. It does not assert active exploitation, current targeting, customer exposure, government attribution, or guaranteed detection. Technique relationships describe behaviors associated with the object, while detailed procedures and indicators are not supplied here.
Psylo
Psylo is a shellcode-based Trojan that has been used by Scarlet Mimic. It has similar characteristics as FakeM. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | Psylo uses HTTPS for C2.CitationScarlet Mimic Jan 2016 |
| Enterprise | T1083 | File and Directory Discovery | Psylo has commands to enumerate all storage devices and to find all files that start with a particular string.CitationScarlet Mimic Jan 2016 |
| Enterprise | T1105 | Ingress Tool Transfer | Psylo has a command to download a file to the system from its C2 server.CitationScarlet Mimic Jan 2016 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Psylo exfiltrates data to its C2 server over the same protocol as C2 communications.CitationScarlet Mimic Jan 2016 |
| Enterprise | T1070.006 | Timestomp Sub-technique | Psylo has a command to conduct timestomping by setting a specified file’s timestamps to match those of a system file in the System32 directory.CitationScarlet Mimic Jan 2016 |
Groups, software, and campaigns
G0029: Scarlet Mimic
Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same. [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 77b9a20bcf13… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Scarlet Mimic Jan 2016
Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
Open source URL -
[2]
mitre-attack S0078Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.