S0445: ShimRatReporter
ShimRatReporter is a tool used by suspected Chinese adversary Mofang to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as ShimRat) as well as set up faux infrastructure which mimics the adversary's targets. ShimRatReporter has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.[1]
Analyst context for executives and security teams
ShimRatReporter matters because MITRE describes it as a Windows tool used to automatically profile a victim environment before follow-on activity. That discovery can help an adversary tailor payloads, imitate victim infrastructure, collect data, and move information out over command-and-control communications. For leaders, the key issue is not one malware name; it is whether the organization can see early automated discovery and small preparatory exfiltration before a more customized intrusion unfolds.
Executive priority
Prioritize this as a readiness and validation item for environments where Windows endpoint visibility, identity enumeration monitoring, and outbound web traffic controls are uneven. The ATT&CK context links the tool to suspected Mofang activity and sectors including government, military, critical infrastructure, automobile, and weapons development, so organizations with similar mission profiles should ask whether SOC and IR teams can prove coverage for discovery, collection, tool transfer, and exfiltration behaviors—not just known indicators.
Technical view
The object has no official MITRE detection text, so defensive value comes from validating the related behaviors: system/network configuration discovery, network connection discovery, process/software/system/account/permission group discovery, automated collection, archiving, ingress tool transfer, web-protocol C2, exfiltration over C2, obfuscation, masquerading as legitimate resources, and native API use. On Windows, teams should correlate unusual bursts of host and identity discovery with new or renamed executables, archive creation, inbound tool staging, and outbound HTTP/S-like traffic to untrusted infrastructure. Treat legitimate administrative inventory and management activity as the main false-positive baseline to document and tune against.
Likely telemetry
- Windows endpoint process creation, parent/child process, image path, file creation, rename, and archive activity
- EDR or host telemetry that can expose native API-driven execution or behavior even when command-line evidence is limited
- Network connection and proxy logs for outbound web-protocol communications and unusual egress patterns
- DNS and destination reputation/context for external infrastructure contacted by newly observed processes
- Identity and directory audit logs for account and permission group enumeration where applicable
Detection direction
- Build detections around behavior chains rather than the tool name alone: automated discovery followed by collection, archive creation, and outbound communications is higher value than any single command or file event.
- Baseline approved administrative discovery and inventory tools to reduce false positives from IT operations, vulnerability scanning, and endpoint management.
- Validate visibility for masquerading and location/name abuse, especially executables placed in trusted-looking paths or named like legitimate resources.
- Check whether web traffic inspection, proxy logging, and endpoint-to-network correlation can identify suspicious C2-style communications without relying on content inspection alone.
- Confirm IR can reconstruct what was enumerated and what may have been collected or exfiltrated, since the tool is described as shaping follow-on payloads and infrastructure.
Mitigation priorities
- Improve Windows endpoint monitoring and response coverage for discovery, file staging, archiving, and suspicious outbound connections.
- Restrict unauthorized execution and tool transfer through application control, least privilege, and controlled administrative tooling where feasible.
- Limit and log outbound web traffic through managed egress points so unusual host-to-internet communications can be investigated.
- Harden identity exposure by reviewing permissions, reducing unnecessary group visibility/privilege, and monitoring account and group enumeration.
- Prepare incident response playbooks to preserve endpoint, identity, proxy, DNS, and file-system evidence when automated discovery or exfiltration indicators appear.
Analyst notes and limits
MITRE identifies ShimRatReporter as used by suspected Chinese adversary Mofang for initial discovery, with discovery output used to customize follow-on payloads such as ShimRat and to set up faux infrastructure mimicking targets. Relationship context expands the defensive lens across discovery, collection, command-and-control, exfiltration, stealth, execution, and tool transfer behaviors.
The supplied ATT&CK object does not provide official detection guidance, aliases, labels, or object-level tactics. The platform supplied for the software is Windows; related techniques list broader platforms, but those should not be treated as proof that this tool operates on them. Local telemetry, baselines, and incident evidence are required to determine actual exposure or detection coverage.
ShimRatReporter
ShimRatReporter is a tool used by suspected Chinese adversary Mofang to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as ShimRat) as well as set up faux infrastructure which mimics the adversary's targets. ShimRatReporter has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1041 | Exfiltration Over C2 Channel | ShimRatReporter sent generated reports to the C2 via HTTP POST requests.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1105 | Ingress Tool Transfer | ShimRatReporter had the ability to download additional payloads.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1049 | System Network Connections Discovery | ShimRatReporter used the Windows function |
| Enterprise | T1518 | Software Discovery | ShimRatReporter gathered a list of installed software on the infected host.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1087 | Account Discovery | ShimRatReporter listed all non-privileged and privileged accounts available on the machine.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1560 | Archive Collected Data | ShimRatReporter used LZ compression to compress initial reconnaissance reports before sending to the C2.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | ShimRatReporter spoofed itself as |
| Enterprise | T1016 | System Network Configuration Discovery | ShimRatReporter gathered the local proxy, domain, IP, routing tables, mac address, gateway, DNS servers, and DHCP status information from an infected host.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1069 | Permission Groups Discovery | ShimRatReporter gathered the local privileges for the infected host.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1082 | System Information Discovery | ShimRatReporter gathered the operating system name and specific Windows version of an infected machine.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1020 | Automated Exfiltration | ShimRatReporter sent collected system and network information compiled into a report to an adversary-controlled C2.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1071.001 | Web Protocols Sub-technique | ShimRatReporter communicated over HTTP with preconfigured C2 servers.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1027 | Obfuscated Files or Information | ShimRatReporter encrypted gathered information with a combination of shifting and XOR using a static key.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1119 | Automated Collection | ShimRatReporter gathered information automatically, without instruction from a C2, related to the user and host machine that is compiled into a report and sent to the operators.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1106 | Native API | ShimRatReporter used several Windows API functions to gather information from the infected system.CitationFOX-IT May 2016 Mofang |
| Enterprise | T1057 | Process Discovery | ShimRatReporter listed all running processes on the machine.CitationFOX-IT May 2016 Mofang |
Groups, software, and campaigns
G0103: Mofang
Mofang is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 483e12d53731… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FOX-IT May 2016 Mofang
Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
Open source URL -
[2]
mitre-attack S0445Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.