RedMimicry is currently not publicly available. Contact me directly in case you know me personally and want access.

[v1.0.4] RedMimicry - Winnti Emulation

This RedMimicry release emulates the behavior of the Winnti version from around 2015.

Emulated behavior includes among other things

  • network traffic encoding
  • original “Cooper” loader with RedMimicry agent payload
  • payload injection in svchost process
  • event creation

Known Issues

If you discover a bug or unexpected behavior feel free to send me an email to

  • the shell command can only handle ANSI input
  • frontend in Safari broken
  • disable_sysmon does not work on older Sysmon versions (tested with Sysmon 11.10)


You can download signatures matching the winnti IOCs as well as the RedMimicry agent payload below.