Scarlet Mimic (G0029): Persistent Cyber Espionage Against Activists
- Suspected Origin
- East Asia
- Motivation
- Espionage
- Aliases
- None documented
- Target Sectors
- Minority Rights Activists, Non-Governmental Organizations, Government
- Associated Malware
- FakeM, MobileOrder, CallMe, Psylo
Overview
Scarlet Mimic, tracked as G0029 by MITRE ATT&CK, is a well-resourced and persistent cyber espionage group that has been active since at least 2009, with significant activity noted from 2013 onward. This adversary primarily focuses on collecting intelligence from minority rights activists and their supporters, particularly those associated with Uyghur and Tibetan communities. While direct government attribution remains unconfirmed, the group’s operational motivations strongly align with the strategic interests of the Chinese government. Initial analyses have indicated some overlap in IP address usage with Putter Panda (APT 2), though it has not been definitively concluded that these groups are one and the same. Beyond activist groups, Scarlet Mimic has also broadened its scope to include government organizations in Russia and India, specifically those involved in tracking activist and terrorist activities, presumably to gather further intelligence relevant to their primary targets.
The group’s operations are characterized by sophisticated techniques and the development of custom malware across multiple operating systems, demonstrating a significant investment in their capabilities. Their long-term commitment to surveillance and information gathering, especially against politically sensitive targets, underscores their strategic importance to their likely sponsors.
Tactics & Techniques
Scarlet Mimic’s modus operandi relies heavily on social engineering and tailored exploitation to achieve initial access. The group predominantly employs spear-phishing campaigns, crafting highly relevant email content with infected “decoy” documents designed to appeal to their specific targets. These decoy files, which can include press releases, politically charged graphics, or articles related to minority issues, are used to trick victims into executing malicious payloads. Upon execution, the malware typically displays the benign decoy document to maintain a facade of legitimacy, preventing immediate suspicion from the user.
In addition to spear-phishing, Scarlet Mimic has been observed using watering hole attacks, also known as strategic web compromises. A notable incident in 2013 involved compromising the Tibetan Alliance of Chicago’s website to host malicious code, exploiting a vulnerability in Internet Explorer (CVE-2012-4969) to infect visitors.
To achieve execution and persist on compromised systems, Scarlet Mimic has leveraged known vulnerabilities in popular software, including memory corruption bugs in Microsoft Excel, system state corruption in ActiveX, buffer overflows in Microsoft PowerPoint and Office, and stack-based buffer overflows in the CoolType DLL within Adobe Reader and Acrobat. For defense evasion, their primary Windows backdoor, FakeM, is designed to mimic legitimate Windows Messenger and Yahoo! Messenger network traffic for its command and control (C2) communications, making it harder to detect. Later variants of FakeM further enhanced evasion by using SSL for C2 encryption, with some even employing a customized SSL protocol that bypasses the standard “client hello” handshake. They also utilize various “loader” malware families to deliver their primary payloads, further complicating detection.
Notable Campaigns
Scarlet Mimic’s campaigns have a long history, dating back to at least 2009. The group gained significant public attention in January 2016 when Palo Alto Networks’ Unit 42 published a detailed report on their activities, which had been ongoing for at least four years prior to the report. This publication illuminated the group’s persistent targeting of Uyghur and Tibetan activists and their supporters, revealing a sophisticated and evolving threat landscape.
A key aspect of their operations highlighted in these reports was the group’s expansion beyond traditional PC targets to mobile platforms. Beginning around 2015, Scarlet Mimic initiated a shift towards mobile surveillance, particularly against Android devices, which continues to be a significant part of their operational focus. This strategic pivot underscored their adaptability and commitment to maintaining surveillance capabilities in an increasingly mobile-centric world. The mobile surveillance campaigns often use baits disguised as culturally relevant content, such as religious texts, images, or books, to trick victims into installing their spyware.
Associated Malware & Tools
Scarlet Mimic employs a diverse arsenal of custom malware and off-the-shelf toolkits to achieve its objectives across different operating systems:
- FakeM: This is Scarlet Mimic’s primary Windows backdoor. It is shellcode-based and notable for its command-and-control (C2) traffic masquerading as legitimate Windows Messenger and Yahoo! Messenger traffic to evade detection. Multiple variants of FakeM have been observed, with later versions incorporating SSL encryption, including a customized SSL protocol.
- Loaders: The group utilizes at least nine distinct loader families to deliver the FakeM payload, indicating a modular approach to infection and payload delivery.
- CallMe Trojan: This custom Trojan is specifically designed to compromise Mac OS X systems, demonstrating Scarlet Mimic’s cross-platform capabilities.
- Psylo: Described as a shellcode-based uploader/downloader, Psylo shares infrastructure with FakeM and serves a similar function in establishing control and facilitating data exfiltration.
- MobileOrder: This is Scarlet Mimic’s Android spyware, which has been under active development and deployed since 2015. Check Point Research identified over 20 variants of MobileOrder by mid-2022. Its capabilities are extensive, allowing attackers to steal sensitive data, initiate calls and send SMS messages on behalf of the victim, track real-time location, and record both incoming/outgoing calls and ambient audio. This malware is typically distributed via social engineering, often disguised as legitimate applications or documents.
- Exploitation Toolkits: For creating malicious documents, Scarlet Mimic has been observed using toolkits such as MNKit, WingD, and Tran Duy Linh.
Current Status
Scarlet Mimic remains an active threat actor. Recent intelligence indicates that their mobile surveillance campaigns, particularly targeting the Uyghur community with the MobileOrder Android spyware, continued as of mid-August 2022. This ongoing activity, several years after initial public disclosures, demonstrates the group’s sustained operations and their commitment to their intelligence-gathering mission. While their initial reports date back to the mid-2010s, subsequent analyses and threat intelligence updates, including those from Palo Alto Networks in 2019 and Check Point Research in 2022, confirm their persistent presence and evolving tactics, particularly in the mobile espionage landscape. The consistency of their targeting and the continuous refinement of their malware families, especially MobileOrder, confirm that Scarlet Mimic is still a relevant and capable threat.
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call