In order to prevent abuse access is only possible after a small vetting process. Additionally the server and agent components contain a watermark generated from the license holder information.

To request access to RedMimicry please send an email from a non-freemailer address to [PGP] with a few sentences or references on your IT security background.

This is only a side project of mine and if I am busy it may take a few days until you get a response to your access request.

The information provided will not be forwarded to any third party and will be deleted immediately after the vetting process. Merely a SHA256 hash of your email address will be retained to fast-track update requests.

After a successfull vetting you will receive the latest personalized RedMimicry build by email.

In order to request an updated version simply send an email from the same address as your first request and you will receive the latest version.

[v1.0.4] RedMimicry - Winnti Emulation

This RedMimicry release emulates the behavior of the Winnti version from around 2015.

Emulated behavior includes among other things

  • network traffic encoding
  • original “Cooper” loader with RedMimicry agent payload
  • payload injection in svchost process
  • event creation

Known Issues

If you discover a bug or unexpected behavior feel free to send me an email to

  • the shell command can only handle ANSI input
  • frontend in Safari broken
  • disable_sysmon does not work on older Sysmon versions (tested with Sysmon 11.10)


You can download signatures matching the winnti IOCs as well as the RedMimicry agent payload below.