Scarlet Mimic Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (102)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en102

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us82
cn14
gb6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Scarlet Mimic7
Lotus Blossom2
Cobalt Strike1
DCRat1
Remcos1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined32
Smartphone Operating System6
WordPress Plugin4
Web Browser4
Content Management System4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined32
Google10
Cisco4
CPG-Nuke4
Apache2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Google Android6
Google Chrome4
CPG-Nuke Dragonfly CMS4
Apache HTTP Server2
Easy Modal Plugin2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1mcart.xls Module mcart_xls_import.php sql injection7.17.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.004650.00CVE-2015-8356
2EasyCom PHP API memory corruption8.57.4$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.370420.00CVE-2017-5358
3DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.009430.77CVE-2010-0966
4PbootCMS SingleController.php sql injection8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.002210.02CVE-2018-18450
5PoDoFo PDF File PdfXRefStreamParserObject.cpp ParseStream integer overflow5.45.2$0-$5k$0-$5kNot DefinedOfficial Fix0.000780.00CVE-2018-5295
6Landing Pages Plugin injection8.07.7$0-$5k$0-$5kNot DefinedOfficial Fix0.020340.00CVE-2015-5227
7Piwik Controller.php saveLayout code injection6.35.9$0-$5k$0-$5kFunctionalOfficial Fix0.000000.02
8Moxa AWK-3131A Web Application null pointer dereference7.27.2$0-$5k$0-$5kNot DefinedNot Defined0.001760.00CVE-2016-8723
9Image Sharing Script postComment.php Stored cross site scripting3.53.2$0-$5k$0-$5kProof-of-ConceptNot Defined0.000000.02
10Linux Kernel tmpfs System posix_acl.c simple_set_acl access control4.94.8$5k-$25k$0-$5kNot DefinedOfficial Fix0.000420.00CVE-2017-5551
11Netgear R8000 Password Recovery passwordrecovered.cgi information disclosure6.76.7$5k-$25k$0-$5kHighNot Defined0.974020.00CVE-2017-5521
12libtorrent GZIP Response puff.cpp construct input validation5.95.9$0-$5k$0-$5kNot DefinedOfficial Fix0.003970.00CVE-2016-7164
13phpMyAdmin grab_globals.lib.php path traversal4.84.4$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.023340.11CVE-2005-3299
14Tongda OA 2017 delete.php sql injection6.96.8$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.000630.41CVE-2024-1252
15Ecommerce Online Store Kit shop.php sql injection9.89.4$0-$5k$0-$5kNot DefinedOfficial Fix0.037630.05CVE-2004-0300
16D-Link DIR-823G HNAP1 access control5.55.3$5k-$25k$5k-$25kNot DefinedNot Defined0.003210.02CVE-2021-43474
17Juniper ScreenOS SSH/Telnet improper authentication9.88.8$25k-$100k$0-$5kHighOfficial Fix0.970540.04CVE-2015-7755
18WarHound WarHound General Shopping Cart item.asp sql injection7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.004630.00CVE-2006-6206
19Adobe Magento Customers Module improper authorization5.04.8$5k-$25k$0-$5kNot DefinedOfficial Fix0.000900.00CVE-2021-28567
20Google Android SimpleDecodingSource.cpp doRead privileges management9.89.6$25k-$100k$5k-$25kNot DefinedOfficial Fix0.001200.00CVE-2021-39623

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • Uyghurs

IOC - Indicator of Compromise (9)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
15.54.19.17ppp005054019017.access.hol.grScarlet Mimic12/23/2020verifiedHigh
245.32.112.18245.32.112.182.vultrusercontent.comScarlet MimicUyghurs09/23/2022verifiedHigh
3XX.XXX.XXX.XXXXxxxxxx Xxxxx12/20/2020verifiedHigh
4XX.XX.XX.XXXXxxxxxx Xxxxx12/20/2020verifiedHigh
5XX.XXX.XXX.XXXXxxxxxx Xxxxx12/23/2020verifiedHigh
6XX.XXX.XXX.XXXxxxxxx.xxxxxxxxx.xxxXxxxxxx Xxxxx12/23/2020verifiedHigh
7XXX.XXX.XXX.XXXxxxxxx Xxxxx12/22/2020verifiedHigh
8XXX.XXX.XXX.XXXXxxxxxx Xxxxx12/23/2020verifiedHigh
9XXX.XX.XXX.XXXXxxxxxx XxxxxXxxxxxx09/23/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (12)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4TXXXX.XXXCAPEC-209CWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-16CWE-XXX, CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
7TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
9TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
10TXXXXCAPEC-CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
11TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
12TXXXX.XXXCAPEC-CWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh

IOA - Indicator of Attack (64)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File.htaccesspredictiveMedium
2File/ajax-files/postComment.phppredictiveHigh
3File/cgi-bin/passpredictiveHigh
4File/cgi-bin/wapopenpredictiveHigh
5File/general/attendance/manage/ask_duty/delete.phppredictiveHigh
6File/passwordrecovered.cgipredictiveHigh
7File/plugins/Dashboard/Controller.phppredictiveHigh
8Filexxxxx/xxxxx_xxx_xxxxxx.xxxpredictiveHigh
9Filexxxxx/xxx/xxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxx/xxxxx.xxpredictiveHigh
10Filexxxx\xxxxx\xxxxxxxxxx\xxxxxxx\xxxxxxxxxxxxxxxx.xxxpredictiveHigh
11Filexxxxxxxx.xxxpredictiveMedium
12Filexxxx/xxxxxxxxxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
13Filexxxxxxxxxxxx.xxx/xxxxxxxxxxx.xxx/xxxxxxxxxxx.xxx/xxxxxxxxxxx.xxxpredictiveHigh
14Filexxxxxxx\xxxxxxxxxx\xxxxx\xxxxxx.xxxpredictiveHigh
15Filexxxxxx/xxxx.xpredictiveHigh
16Filexxx.xxxxxxx.xxxpredictiveHigh
17Filexxx/xxxxxxxxx/xxxxxx/xxxxxxxxxxxxx.xxxxpredictiveHigh
18Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
19Filexxxx/xxxxxxxxxx/xxxxxx-xxx.xpredictiveHigh
20Filexxxxxxxxx/xxxxxxx/xxxx/xxxxxxxxx/xxxxxxxx.xxxpredictiveHigh
21Filexxxxxxxxx/xxxxx/xxxxxxxxxxxx/xxxxxxxxx.xxxpredictiveHigh
22Filexx/xxxxx_xxx.xpredictiveHigh
23Filexxxx_xxxxxxx.xxx.xxxpredictiveHigh
24Filexxx/xxx.xxxpredictiveMedium
25Filexxx/xxxxxx.xxxpredictiveHigh
26Filexxxxxxx.xxxpredictiveMedium
27Filexxxx.xxxpredictiveMedium
28Filexxxxxxx.xxxpredictiveMedium
29Filexxxxx.xxxpredictiveMedium
30Filexxxxxxxxx.xxxpredictiveHigh
31Filexxxx_xxxxxxxxxx.xxxpredictiveHigh
32Filexxxxxx/?x=xxxxx/\xxxxx\xxx/xxxxxxxxxxxxxx&xxxxxxxx=xxxx_xxxx_xxxx_xxxxx&xxxx[x]=xxxxxx&xxxx[x][]predictiveHigh
33Filexxxx.xxxpredictiveMedium
34Filexxxx.xxxpredictiveMedium
35Filexxxxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
36Filexxxxxx/xxxxxx_xxxxxxxxxxx.xxxpredictiveHigh
37Filexxxxxxxxxxxx.xxxpredictiveHigh
38Filexx-xxxxx/xxxx.xxxpredictiveHigh
39Libraryxxx/xxxxxxxxx/xxxxxxxx.xxxpredictiveHigh
40Argumentxxx_xxxx_xxpredictiveMedium
41ArgumentxxxxxxxxpredictiveMedium
42Argumentxxxxxxx xxxxpredictiveMedium
43Argumentxxxxxxxxx->xxxxxxxxxpredictiveHigh
44ArgumentxxxxxxxxxxpredictiveMedium
45ArgumentxxpredictiveLow
46Argumentxx/xxx/xxxxxpredictiveMedium
47ArgumentxxxxxxxxxxxpredictiveMedium
48ArgumentxxxxxpredictiveLow
49ArgumentxxxxxxpredictiveLow
50ArgumentxxxxxxxxpredictiveMedium
51Argumentxxxx_xxxxxpredictiveMedium
52ArgumentxxxxxxxxxxpredictiveMedium
53ArgumentxxxxpredictiveLow
54Argumentxxxxxxxxx/xxxxxxxpredictiveHigh
55ArgumentxxxpredictiveLow
56ArgumentxxxxxxxxpredictiveMedium
57Argumentxxx_xxxxxx_xxxxxxx_xx_xxxpredictiveHigh
58Input Value'xx x=xpredictiveLow
59Input Value../..predictiveLow
60Input ValuexxxxpredictiveLow
61Input Value<xxx xxx=x xxxxxxx=xxxxxx(x)>predictiveHigh
62Input Valuexxxxxxxx.+xxxpredictiveHigh
63Input Valuexxxxxxxxx/xxxxxxxxxpredictiveHigh
64Input Value{{ }}predictiveLow

References (5)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!