RedMimicry is currently not publicly available. Contact me directly in case you know me personally and want access.
[v1.0.4] RedMimicry - Winnti Emulation
This RedMimicry release emulates the behavior of the Winnti version from around 2015.
Emulated behavior includes among other things
- network traffic encoding
- original “Cooper” loader with RedMimicry agent payload
- payload injection in svchost process
- event creation
If you discover a bug or unexpected behavior feel free to send me an email to
- the shell command can only handle ANSI input
- frontend in Safari broken
- disable_sysmon does not work on older Sysmon versions (tested with Sysmon 11.10)
You can download signatures matching the winnti IOCs as well as the RedMimicry agent payload below.