S0444: ShimRat
ShimRat has been used by the suspected China-based adversary Mofang in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name "ShimRat" comes from the malware's extensive use of Windows Application Shimming to maintain persistence. [1]
Analyst context for executives and security teams
ShimRat is a Windows malware family associated in ATT&CK with Mofang and notable for persistence through Windows Application Shimming. For leaders, the business issue is not just the malware name: its related behaviors span persistence, privilege escalation, discovery, command-and-control resiliency, local data collection, and scheduled exfiltration. That combination is material for environments where Windows endpoints support government, military, critical infrastructure, automobile, or weapons-development operations, as described in the source reporting.
Executive priority
Prioritize ShimRat as a validation case for Windows endpoint resilience and incident readiness rather than as a standalone indicator list. Executives should ask whether the organization can prove visibility into application shims, registry persistence, Windows services, command-shell activity, web-based outbound communications, proxy-like C2 patterns, local and network-share discovery, and file deletion. This supports budget and audit decisions around endpoint logging, managed detection, IR evidence preservation, and protection of sensitive operational or engineering data.
Technical view
ATT&CK provides no official detection text for ShimRat, so SOC and detection engineering should work from the mapped behaviors. Validate coverage on Windows for Application Shimming, Registry Run Keys/Startup Folder, Windows Service creation or modification, Modify Registry, UAC bypass-related elevation signals, Windows Command Shell execution, Native API-adjacent suspicious process behavior, execution-flow hijacking, file and directory discovery, network share discovery, tool transfer, web-protocol C2, fallback channels, external proxy use, scheduled transfer, software packing, compression, deobfuscation, and file deletion. Treat these as behavior clusters: persistence plus discovery plus outbound web communications plus cleanup is more decision-useful than any single event.
Likely telemetry
- Windows endpoint process creation and command-line logging
- Windows Registry modification events, including Run keys and service configuration paths
- Application Compatibility / shim database and shim installation or modification evidence
- Windows service creation, modification, and start events
- File creation, deletion, archive/compression, and suspicious executable metadata
Detection direction
- Build detections around combinations of mapped techniques rather than the malware name alone, since no official ATT&CK detection guidance is provided.
- Validate visibility into Windows Application Shimming because the official description highlights extensive use of shimming for persistence.
- Tune for suspicious service names, service paths, and task/service masquerading while accounting for legitimate administrative and software-management activity.
- Correlate registry persistence changes with new binaries, command-shell execution, and outbound web communications.
- Review outbound web traffic for resilient or alternate C2 patterns, including fallback channels and external proxy-like behavior, while baselining normal proxy and update traffic.
Mitigation priorities
- Confirm Windows endpoint logging and retention are sufficient before an incident; ShimRat-related behaviors depend heavily on host evidence.
- Harden and monitor persistence surfaces: application shims, registry autoruns, and Windows services.
- Restrict unnecessary administrative privileges and validate controls relevant to UAC bypass risk and privileged service or registry changes.
- Apply application control or execution control where feasible, with monitoring for execution-flow hijacking attempts.
- Limit and monitor outbound web access, proxy use, and unusual external communications from endpoints that should not initiate such traffic.
Analyst notes and limits
ATT&CK identifies ShimRat as used by Mofang and describes campaigns targeting multiple countries and sectors. The object’s most distinctive defensive lead is Windows Application Shimming for persistence. The mapped techniques provide a practical hunt and control-validation plan across persistence, privilege escalation, execution, discovery, collection, command and control, exfiltration timing, and stealth.
The supplied ATT&CK object has no official detection section, no aliases, no explicit malware tactics listed, and only Windows as the malware platform. Technique relationship descriptions include other platforms, but platform-specific conclusions for ShimRat should be limited to Windows unless local intelligence supports more. This summary does not assert current activity, customer exposure, or guaranteed detection coverage.
ShimRat
ShimRat has been used by the suspected China-based adversary Mofang in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name "ShimRat" comes from the malware's extensive use of Windows Application Shimming to maintain persistence. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | ShimRat can download additional files.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1090.002 | External Proxy Sub-technique | ShimRat can use pre-configured HTTP proxies.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | ShimRat has hijacked the cryptbase.dll within migwiz.exe to escalate privileges. This prevented the User Access Control window from appearing.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1574 | Hijack Execution Flow | ShimRat can hijack the cryptbase.dll within migwiz.exe to escalate privileges and bypass UAC controls.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | ShimRat has installed a registry based start-up key |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | ShimRat can impersonate Windows services and antivirus products to avoid detection on compromised systems.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1029 | Scheduled Transfer | ShimRat can sleep when instructed to do so by the C2.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1070.004 | File Deletion Sub-technique | ShimRat can uninstall itself from compromised hosts, as well create and modify directories, delete, move, copy, and rename files.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1071.001 | Web Protocols Sub-technique | ShimRat communicated over HTTP and HTTPS with C2 servers.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | ShimRat can be issued a command shell function from the C2.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | ShimRat has decompressed its core DLL using shellcode once an impersonated antivirus component was running on a system.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1546.011 | Application Shimming Sub-technique | ShimRat has installed shim databases in the |
| Enterprise | T1008 | Fallback Channels | ShimRat has used a secondary C2 location if the first was unavailable.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1027.002 | Software Packing Sub-technique | |
| Enterprise | T1027.015 | Compression Sub-technique | ShimRat has been delivered as a package that includes compressed DLL and shellcode payloads within a .dat file.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1106 | Native API | ShimRat has used Windows API functions to install the service and shim.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1543.003 | Windows Service Sub-technique | ShimRat has installed a Windows service to maintain persistence on victim machines.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1135 | Network Share Discovery | ShimRat can enumerate connected drives for infected host machines.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1005 | Data from Local System | ShimRat has the capability to upload collected files to a C2.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1083 | File and Directory Discovery | ShimRat can list directories.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1112 | Modify Registry | ShimRat has registered two registry keys for shim databases.CitationFOX-IT May 2016 Mofang |
Groups, software, and campaigns
G0103: Mofang
Mofang is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c0a792afac65… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FOX-IT May 2016 Mofang
Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
Open source URL -
[2]
mitre-attack S0444Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.