Introduction
Mofang is a likely China-based cyber espionage group, named for its frequent practice of imitating a victimβs infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries. FOX-IT May 2016 Mofang
Activities and Tactics
Targeted Sectors: Government, Private sector
Country of Origin: π¨π³ China
Risk Level: High
First Seen: 2016
Last Activity: 2016
Incident Type: Espionage
Suspected Victims: Myanmar, Germany, Singapore, Canada, India, United States, South Korea
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1566.002 Spearphishing Link
- T1204.001 Malicious Link
- T1566.001 Spearphishing Attachment
- T1027.013 Encrypted/Encoded File
- T1204.002 Malicious File
- T1027.015 Compression
ATT&CK technique IDs (denormalized)
Notable Indicators of Compromise (IOCs)
No atomic indicators are listed in this profile. The APTnotes snapshot indexes 1 public reports that may contain IOCs; see Source Attribution for dataset links.
Malware and Tools
- MobileOrder:
- China Chopper:
- CyberGate:
- Cyber Eye RAT:
MITRE ATT&CK Software
Attribution and Evidence
Country of Origin: China Additional attribution information pending cataloguing.
References
[1] mitre-attack [2] FOX-IT May 2016 Mofang Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.