Trusted Design

Scarlet Mimic: Espionage Campaign Targets Minority Activists

概要

Over the past seven months, Unit 42 has been investigating a series of attacks we attribute to a group we have code named “Scarlet Mimic.” The attacks began over four years ago and their targeting pattern suggests that this adversary’s primary mission is to gather information about minority rights activists. We do not have evidence directly linking these attacks to a government source, but the information derived from these activities supports an assessment that a group or groups with motivations similar to the stated position of the Chinese government in relation to these targets is involved. The attacks we attribute to Scarlet Mimic have primarily targeted Uyghur and Tibetan activists as well as those who are interested in their causes. Both the Tibetan community and the Uyghurs, a Turkic Muslim minority residing primarily in northwest China, have been targets of multiple sophisticated attacks in the past decade.

Created: 2026-02-23

Indicators

• FileHash-SHA256 - e8e5ecf525c5259651bfbdf1923215729ec67658225eca1b02519f5f6279eacb -
• hostname - kasperskysecurity.firewall-gateway.com -
• hostname - bits.githubs.net -
• FileHash-SHA256 - c1e8ff8ebe3754bc7d14509ef3678edf7551d876d3fa847d07d469c09bceae91 -
• hostname - ftp112.lenta.cloudns.pw -
• hostname - vip.yahoo.cloudns.info -
• hostname - addi.apple.cloudns.org -
• FileHash-SHA256 - fa08a498da0b31e77669d51a28dff166d84983fa6af693063c08f312fdce93e3 -
• FileHash-SHA256 - 7c9421a4605decfa1b3e22addbca98d86ea757dcd8ff8e075d13228c99618637 -
• hostname - update.googmail.org -
• hostname - intersecurity.firewall-gateway.com -
• hostname - ppcc.vasilevich.cloudns.info -
• FileHash-SHA256 - 33e50c44804d4838dba6627b08210029ff9106fa7fd16cd7255271e153f58b05 -
• hostname - book.websurprisemail.com -
• hostname - zjhao.dtdns.net -
• FileHash-SHA256 - caf76e19a2681dd000c96d8389afc749e774c083aef09f023d4f42fbc49d4d3d -
• FileHash-SHA256 - a9f0bddc3d3516af8355e8ac17309528cd018347e5f56a347c14da0a83b0028a -
• hostname - lemondtree.freetcp.com -
• hostname - email.googmail.org -
• CVE - CVE-2009-3129 -
• hostname - detail43.myfirewall.org -
• hostname - liumingzhen.myftp.org -
• hostname - aaa123.spdns.de -
• FileHash-SHA256 - b4c1e9c99f861a4dd7654dcc3548ab5ddc15ee5feb9690b9f716c4849714b20d -
• FileHash-SHA256 - 19bbee954ac1a21595e63cb86d1a596236aed353804aec5cb8adfa62e70280d3 -
• hostname - worldwildlife.effers.com -
• FileHash-SHA256 - c30d03750458bb5f2b03d6bd399ffca6d378a3adb5a74bee3b6ba4b982dbf273 -
• CVE - CVE-2010-2883 -
• FileHash-SHA256 - 428121c421bf81a0d689014cf21ec7951b0c32add86198e06f7d636981f68755 -
• FileHash-SHA256 - db8338e6b883fdceaa02c10ad683547a26ae32e0d4641cc24c7bd3b45154abb0 -
• FileHash-SHA256 - 8c423506c0c7ebe1e61071374ecf0806463a02a2100b5daa1bd942129ff8a235 -
• FileHash-SHA256 - 631fc66e57acd52284aba2608e6f31ba19e2807367e33d8704f572f6af6bd9c3 -
• hostname - dolat.websurprisemail.com -
• hostname - firewallupdate.firewall-gateway.net -
• hostname - sisiow.slyip.com -
• hostname - fish.seafood.cloudns.org -
• FileHash-SHA256 - 53238f67ac7e4cc27264efbacc8712bd97a5775feaf633c63adaa0785d038e8a -
• FileHash-SHA256 - 77e4ef9e08f1095487b4fa27492b4c9b8e833f29598f99a0d10f7c85b4254761 -
• hostname - eemete.freetcp.com -
• FileHash-SHA256 - bbdedcfe789641e7f244700e8c028ef51094b66508f503876eb0d6aa16df6aa8 -
• FileHash-SHA256 - cc7db456825e266849090b6fa95a94ad8c4c717712b610b0d39077af5222f4be -
• FileHash-SHA256 - 8da2f9afd914a4318a97f4d74809c0c383f8ebf0d3d6e3d3715efbd71a66a52f -
• hostname - economy.spdns.eu -
• FileHash-SHA256 - d698008e417da867d02e2f5cdcc80ff92af753dd585fada42fc611c2d7332c3a -
• hostname - www.angleegg.ddns.us -
• YARA - ff9fabeb3f71ae898f60b54b538289000e20766b -
• hostname - dolet.websurprisemail.com -
• hostname - ziba.lenovositegroup.com -
• FileHash-SHA256 - 12dedcdda853da9846014186e6b4a5d6a82ba0cf61d7fa4cbe444a010f682b5d -
• FileHash-SHA256 - ec4deb761b09ddc706804ef669836cf4b199f1d74b14ad623a6f6cc2f38190b8 -
• FileHash-SHA256 - 79aca57905cca1e56b0cedf48a4d81812639c333ee6532d90a074d64b3852d6f -
• FileHash-SHA256 - 4d539f638ed476ca08da838cdfbf710dae82b582256d60a009e9d304f6822e65 -
• FileHash-SHA256 - 53cecc0d0f6924eacd23c49d0d95a6381834360fbbe2356778feb8dd396d723e -
• FileHash-SHA256 - 7bfbf49aa71b8235a16792ef721b7e4195df11cb75371f651595b37690d108c8 -
• FileHash-SHA256 - 6fe33c672fd30bba9bbc89dc7d88993d8783382c9f9c510677b1bb068a5f1e51 -
• hostname - addnow.zapto.org -
• FileHash-SHA256 - 9ff687a813a5cb5ff10374c86f852534c1aa3e5a221123214bf52b2ff455a5da -
• FileHash-SHA256 - d1dd4469c7b5c462e5ff2dcef5d22775250e9ebf395f65da624f18ea7144e173 -
• hostname - mareva.catherine.cloudns.us -
• FileHash-SHA256 - 2e1472a65a8df43c8bc9b0aff954fbc1a093c4214f6a718a08e1321db83ca683 -
• FileHash-SHA256 - c981db20d588ba2d0f437b4e5459e7c6763f52a97841450c94591ca28a9a2d69 -
• FileHash-SHA256 - 7fb2c37431fd7b05414b134732ba0b29cd7dad17fc176627ee0815aac60c1ab9 -
• hostname - qq.ufoneconference.com -
• hostname - yycc.mrbonus.com -
• hostname - qq.yourturbe.org -
• FileHash-SHA256 - 4a4dfffae6fc8be77ac9b2c67da547f0d57ffae59e0687a356f5105fdddc88a3 -
• FileHash-SHA256 - 508a7cab0f2a69ba66e92e86817a49ecd1b9c8ae11a995147944995fc868dfad -
• FileHash-SHA256 - 9adda3d95535c6cf83a1ba08fe83f718f5c722e06d0caff8eab4a564185971c5 -
• FileHash-SHA256 - a569f3b02a4be99e0b4a9f1cff43115da803f0660dd4df114b624316f3f63dc6 -
• FileHash-SHA256 - f511b13341c9fb4ec9ecfcfe5a5813b964c362d7c709c402ead4e010d857bf6c -
• FileHash-SHA256 - a1b7fe2acdb7a5b0c52b7c1960cfad531a7ca85b602fc90044c57a2b2531699f -
• hostname - news.firewall-gateway.com -
• hostname - www.angleegg.xxxy.info -
• hostname - economy.spdns.de -
• FileHash-SHA256 - 22e7517d8996e92998eb996416f9d8ef06b3b1c220c1a5d29ccd5aaef7b10c72 -
• FileHash-SHA256 - de12cd8d11478d17342c60239837c1afcc9fee72df6ffdf9943802640d43f77a -
• FileHash-SHA256 - 91e36e720477146f1a0c050d3bc74bc6683a03e7631317ded3c598a10465dcc8 -
• hostname - liumingzhen.zapto.org -
• FileHash-SHA256 - 6f10c892133b5dac6c40cfe77ca32b42572bc56909481b236080dfc143ef9afd -
• hostname - kissecurity.firewall-gateway.net -
• hostname - opero.spdns.org -
• hostname - www.gorlan.cloudns.pro -
• hostname - news.googmail.org -
• FileHash-SHA256 - 5154511a439bb367b7dd56232eb15281cb6dc4d64ea3a06e7fbbe6b176e385d4 -
• hostname - youturbe.co.cc -
• hostname - account.websurprisemail.com -
• FileHash-SHA256 - a195f564aa2fb66db119e2fbec93e319a973e5cf50fbf9fc08bd81f9b7ee8af8 -
• hostname - video.googmail.org -
• FileHash-SHA256 - d1f0658bbb15ab2bccc210d7e1f21b96e14ae22de8494ca95b12e182f3d0f693 -
• FileHash-SHA256 - 3209ab95ca7ee7d8c0140f95bdb61a37d69810a7a23d90d63ecc69cc8c51db90 -
• hostname - mail.firewall-gateway.com -
• hostname - admin.spdns.org -
• hostname - apple.lenovositegroup.com -
• hostname - apple12.crabdance.com -
• hostname - muslim.islamhood.net -
• FileHash-SHA256 - 9b77bbb620f50632fae17c40c7469fc93ffdbc4136a6d893a9a10a44bc435da5 -
• CVE - CVE-2010-2572 -
• FileHash-SHA256 - 0f2db64b8283b76d49c9bb272beafab8323f941b6dc3888b42ff02f08634d016 -
• FileHash-MD5 - 8fa804105b1e514e1998e543cd2ca4ea -
• hostname - popqueen.cloudns.org -
• hostname - sys.firewall-gateway.net -
• FileHash-SHA256 - 0aab09bf0db30a4be28d19475082fd5e7f75879bf9029fdd8dfc3a1e1f072b0c -
• FileHash-SHA256 - aa8a302a53bd39b2d2a6e3d8497575e2a5f9757b248e34c8e0821ce9eee5cc32 -
• FileHash-SHA256 - a268cc4931781d1d8094a4f8f596c2de3d662f2581c735b0810ff0ecefe3f859 -
• FileHash-SHA256 - 95dba004f949e44cb447246f3d2420b01db4541d0e4fa7b00d798f38a3d251e4 -
• CVE - CVE-2012-4969 -
• FileHash-SHA256 - 03004ccc23033a09532bea7dfa08c8dfa85814a15f5e3aedb924a028bcd6f908 -
• hostname - dolat.diyarpakzimin.com -
• hostname - press.ufoneconference.com -
• FileHash-SHA256 - cd506679fd32dab16dee6fbf1cfdfe0836e092a4f5669418a199d99c9cd33abd -
• hostname - bee.aoto.cloudns.org -
• FileHash-SHA256 - 27167a9d63f5ddc68a12decb1a1e0a2a29c72fe0681dca2c4f3d169f048a9d38 -
• FileHash-SHA256 - 363d9557861fab2d83d04847b967996361e670e571b335c7a535bc6278cba149 -
• FileHash-SHA256 - 3d9bd26f5bd5401efa17690357f40054a3d7b438ce8c91367dbf469f0d9bd520 -
• FileHash-SHA256 - 202975d10ba417cf441e8f9986d2496807fe39e057d3226ec3b2713f0c218cd8 -
• FileHash-SHA256 - 53af257a42a8f182e97dcbb8d22227c27d654bea756d7f34a80cc7982b70aa60 -
• FileHash-SHA256 - 41948c73b776b673f954f497e09cc469d55f27e7b6e19acb41b77f7e64c50a33 -
• hostname - desk.websurprisemail.com -
• FileHash-SHA256 - 669ce0975c133d54e414dbf1de546aed742e76fe3e60568e2bd4747b7e0f8b70 -
• FileHash-SHA256 - fb60d14de4dba022f11437845d465a661d0c78d3d097a38770816f06992bf0af -
• hostname - accounts.yourturbe.org -
• CVE - CVE-2010-3333 -
• CVE - CVE-2012-0158 -
• FileHash-SHA256 - be0e8da7e261ec7d08eaa78e79ceb1be47c324b8e142097bf6569f9471c98a4e -
• FileHash-SHA256 - 00bb399c429e0f1f7de751103fe92b5f820d1686d01662a08583b7a94aaed94e -
• FileHash-SHA256 - 7156f6416e7116e52f9c67f4e716b1dbea17387e61009c7f2825debbbb4dcb73 -
• hostname - ibmcorp.slyip.com -
• FileHash-SHA256 - 071c34b9701dd84f9590ba899a8af3eeec228a928f2d98a80dbc780e396ee01a -
• FileHash-SHA256 - 5db51f2f7c31de7d165ec4892ae7dcedaa036caedeef718b57953d7935582f04 -
• FileHash-SHA256 - caeace73a17e220634525d2a4117525fd60cb86a06873c86571e89d156f8d72d -
• FileHash-SHA256 - df9872d1dc1dbb101bf83c7e7d689d2d6df09966481a365f92cd451ef55f047d -
• FileHash-SHA256 - 879edf0417c4a9759040b51bf83b2fc918a6644a7c29a52252003a63036aea5c -
• FileHash-SHA256 - 523ad50b498bfb5ab688d9b1958c8058f905b634befc65e96f9f947e40893e5b -
• FileHash-SHA256 - 4a3d0df9fa198a7ebe45db5239d22067e74924b1aace52029b3acc9b51af691e -
• hostname - polat.googmail.org -
• hostname - webmail.yourturbe.org -
• hostname - clean.popqueen.cloudns.org -
• FileHash-SHA256 - 0d77f5f1d4c0f02fb88ac33fa365b17d28d1521cea59329ca4b3dd0b7031a60e -
• hostname - www.googmail.org -
• hostname - firefox.spdns.de -
• hostname - bailee.alanna.cloudns.biz -
• FileHash-SHA256 - 6a1c7999b4ba92899d3364fc729d0f052680be5a71dd0f13cbabdb19b82bf858 -
• FileHash-SHA256 - 5fae5750797ebe7e7a6a6919a7d66deffb141ec28737bd72a1f7da8edd330b60 -
• FileHash-SHA256 - a4ffca5f1c3d9c21629fa98a1e91121d954ab9347e86ac3c9613dae61bf30393 -
• hostname - github.ignorelist.com -
• FileHash-SHA256 - b3c9bb22fa1bc358dc23a1a4bdaf85ad1add4d812b107b7ab887affbf689933a -
• hostname - kaspersky.firewall-gateway.net -
• FileHash-SHA256 - 5dade00db195087aa336ce190b5fd1c22992c49556c623b42a9f742d73241a7f -
• FileHash-SHA256 - c7b9e6b5ab07e6da404af9894c8422d9a0c9586334ddc0a3c1ea6bf23ef97fb2 -
• hostname - alma.apple.cloudns.org -
• FileHash-SHA256 - d6d2a77f8ed2fe9fed9ee6dcb4cc0b339ba47a575c717c35815243c752d8f60c -
• hostname - klark.cloudns.in -
• hostname - mm.lenovositegroup.com -
• FileHash-MD5 - 872876cfc9c1535cd2a5977568716ae1 -
• FileHash-SHA256 - e96097826179a66cc3061be0f99f7b55cc9692a6378b5c4364699327823098ab -
• hostname - freeonline.3d-game.com -
• hostname - otcgk.border.cloudns.pw -
• hostname - freeavg.sytes.net -
• FileHash-SHA256 - 435df30d139ccbe5ce4e5ca6fe072e42e96d5ea1efd5317deebce462ecccc7ab -
• hostname - oic-oci.3-a.net -
• FileHash-SHA256 - 47d9ba5f7bf70c5d2b7a832e070957cc7ebdcfd0a6ee75851df16dc45971ce8a -
• FileHash-SHA256 - 5182dc8667432d76a276dc4f864cdfcef3e481783ebaf46d3b1397080b798f4a -
• hostname - islam.youtubesitegroup.com -
• FileHash-SHA256 - a4abbcfdbf4a6c52349a843eac0396e6d8abb05f1324223980d824629a42ef7a -
• hostname - uprnd.flnet.org -

類似Pulses

• Years-long espionage campaign against Tibetans (score: 0.58)
• Operation Kingphish: Uncovering a Campaign of Cyber Attacks against Civil Society in Qatar and Nepal (score: 0.57)
• Attacks Against the Mongolian Government (score: 0.57)
• PROJECT CAMERASHY: CLOSING THE APERTURE ON CHINA’S UNIT 78020 (score: 0.57)
• Chinese Actors attacks on US Government and EU Media (score: 0.56)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る