Skip to content

G0103 Mofang

Mofang is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim’s infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries.1

Item Value
ID G0103
Associated Names
Version 1.0
Created 12 May 2020
Last Modified 29 May 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1027 Obfuscated Files or Information Mofang has compressed the ShimRat executable within malicious email attachments. Mofang has also encrypted payloads before they are downloaded to victims.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Mofang delivered spearphishing emails with malicious documents, PDFs, or Excel files attached.1
enterprise T1566.002 Spearphishing Link Mofang delivered spearphishing emails with malicious links included.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Mofang‘s spearphishing emails required a user to click the link to connect to a compromised website.1
enterprise T1204.002 Malicious File Mofang‘s malicious spearphishing attachments required a user to open the file after receiving.1


ID Name References Techniques
S0444 ShimRat - Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data from Local System Deobfuscate/Decode Files or Information Application Shimming:Event Triggered Execution Fallback Channels File and Directory Discovery Hijack Execution Flow File Deletion:Indicator Removal on Host Ingress Tool Transfer Masquerade Task or Service:Masquerading Modify Registry Native API Network Share Discovery Software Packing:Obfuscated Files or Information Obfuscated Files or Information External Proxy:Proxy Scheduled Transfer
S0445 ShimRatReporter - Account Discovery Web Protocols:Application Layer Protocol Archive Collected Data Automated Collection Automated Exfiltration Exfiltration Over C2 Channel Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Native API Obfuscated Files or Information Permission Groups Discovery Process Discovery Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery


Back to top