G0103: Mofang

Mofang is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries.[1]

EnterpriseG0103GroupObject v1.1 Modified Apr 11, 2024, 00:41 UTC (UTC+00:00)

Mofang matters because ATT&CK describes it as a likely China-based espionage group associated with focused targeting of government, critical infrastructure, military, automobile, and weapons-related sectors, and with a practice of imitating victim infrastructure. For leaders, the practical issue is not just malware names; it is whether email security, endpoint visibility, and incident response processes can recognize targeted phishing, user-driven execution, obfuscated payloads, and environment-specific follow-on activity.

Executive priority

Prioritize validation of controls around targeted email, user execution, endpoint investigation, and Windows persistence visibility where ShimRat-related risk is relevant. Organizations in government, critical infrastructure, military, automobile, and weapons development sectors should use this object as a threat-informed planning input for resilience reviews, executive tabletop scenarios, and evidence that phishing, endpoint, and IR controls are tested against espionage-style tradecraft rather than only commodity malware.

Technical view

ATT&CK provides no group-level detection text and no group-level platforms or tactics, so defenders should pivot from the documented relationships. Mofang is linked to ShimRat and ShimRatReporter, both Windows-related software entries, and to spearphishing attachments, spearphishing links, malicious files, malicious links, encrypted/encoded files, and compression. SOC teams should validate coverage across email delivery, URL and attachment handling, user execution events, endpoint file creation, archive handling, encoded or encrypted payload indicators, and Windows persistence investigation related to Application Shimming where ShimRat is in scope.

Likely telemetry

Email gateway and mail security logs for targeted attachments and links
URL click, web proxy, DNS, and secure web gateway logs for suspicious link-following behavior
Endpoint process execution and parent-child process telemetry associated with user-opened files or link-driven execution
Endpoint file creation, archive extraction, and compressed file handling telemetry
Detection evidence for encoded, encrypted, or otherwise obfuscated files

Detection direction

Do not rely on a single Mofang-specific analytic; ATT&CK does not provide official detection guidance for this group object.
Validate layered detection for the related techniques: spearphishing attachment, spearphishing link, malicious file execution, malicious link execution, encrypted or encoded files, and compression.
Tune email and web detections for targeted social engineering while accounting for false positives from legitimate business links, attachments, archives, and encoded content.
Confirm whether endpoint controls and SOC playbooks can connect email events to subsequent user execution and host artifacts.
Where ShimRat is a concern, validate Windows persistence hunting coverage related to Application Shimming using the related software description as context.

Mitigation priorities

Start with phishing resilience: attachment and link inspection, user reporting paths, and rapid triage of suspected targeted emails.
Strengthen endpoint prevention and monitoring for user-launched files, suspicious archive use, and obfuscated payloads.
Ensure Windows persistence review procedures include Application Shimming when investigating ShimRat-related leads.
Improve IR readiness by predefining how analysts correlate email, web, endpoint, and identity/office-suite evidence during suspected spearphishing incidents.
For higher-risk sectors named by ATT&CK, include Mofang-related behaviors in threat-informed control validation, tabletop exercises, and audit evidence packages.

Analyst notes and limits

The decision value is in using Mofang as a focused threat-informed test case for targeted espionage behaviors: phishing-led access, user execution, obfuscation, and tailored follow-on tooling. The supplied relationships indicate ShimRatReporter performs initial discovery used to customize follow-on payloads and faux infrastructure, reinforcing the need to preserve early-stage telemetry and not treat phishing alerts as isolated email events.

This take is limited to the supplied ATT&CK fields, references, and relationships. The group object has no official detection text, no specified platforms, and no specified tactics. Local relevance depends on sector, exposed users, email and endpoint telemetry quality, and whether ShimRat or related behaviors are present in the environment.

Official MITRE ATT&CK definition

Mofang

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 6 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1566.002	Spearphishing Link Sub-technique	Mofang delivered spearphishing emails with malicious links included.CitationFOX-IT May 2016 Mofang
Enterprise	T1204.001	Malicious Link Sub-technique	Mofang's spearphishing emails required a user to click the link to connect to a compromised website.CitationFOX-IT May 2016 Mofang
Enterprise	T1566.001	Spearphishing Attachment Sub-technique	Mofang delivered spearphishing emails with malicious documents, PDFs, or Excel files attached.CitationFOX-IT May 2016 Mofang
Enterprise	T1027.013	Encrypted/Encoded File Sub-technique	Mofang has encrypted payloads before they are downloaded to victims.CitationFOX-IT May 2016 Mofang
Enterprise	T1204.002	Malicious File Sub-technique	Mofang's malicious spearphishing attachments required a user to open the file after receiving.CitationFOX-IT May 2016 Mofang
Enterprise	T1027.015	Compression Sub-technique	Mofang has compressed the ShimRat executable within malicious email attachments.CitationFOX-IT May 2016 Mofang

Associated objects

Groups, software, and campaigns

S0445: ShimRatReporter

ShimRatReporter is a tool used by suspected Chinese adversary Mofang to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as ShimRat) as well as set up faux infrastructure which mimics the adversary's targets. ShimRatReporter has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.[1]

Windows

S0444: ShimRat

ShimRat has been used by the suspected China-based adversary Mofang in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name "ShimRat" comes from the malware's extensive use of Windows Application Shimming to maintain persistence. [1]

Windows

Relationship explorer

All related ATT&CK context

uses · Technique T1566.002: Spearphishing Link Enterprise uses · Tool S0445: ShimRatReporter Enterprise uses · Malware S0444: ShimRat Enterprise uses · Technique T1204.001: Malicious Link Enterprise uses · Technique T1566.001: Spearphishing Attachment Enterprise uses · Technique T1027.013: Encrypted/Encoded File Enterprise uses · Technique T1204.002: Malicious File Enterprise uses · Technique T1027.015: Compression Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: May 12, 2020, 21:23 UTC (UTC+00:00)
Modified: Apr 11, 2024, 00:41 UTC (UTC+00:00)
Raw hash: 4b013c7845ad962b...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	Apr 11, 2024, 00:41 UTC (UTC+00:00)	Current bundle	`4b013c7845ad…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
FOX-IT May 2016 Mofang

Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
Open source URL
[2]
mitre-attack G0103
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use