>samit_hota
Back to adversary profiles
G0002HighUnknown

Moafee (G0002): Profile of a Chinese Espionage Threat Actor

Samit Hota·
Suspected Origin
China (Guangdong Province)
Motivation
Espionage, Information Theft
Aliases
None documented
Target Sectors
Government, Military, Defense Industrial Base
Associated Malware
PoisonIvy, HTran, Mongall, NFlog, NewCT/NewCT2
#threat-actor#g0002

Overview

Moafee, identified by MITRE ATT&CK as G0002, is a sophisticated threat group believed to operate from China’s Guangdong Province. This actor is primarily driven by objectives of information theft and espionage, aligning with national interests, particularly concerning the geopolitically significant South China Sea region. Moafee’s operational focus extends to governments and military organizations of countries with vested interests in the South China Sea, as well as entities within the US defense industrial base. The South China Sea itself is a critical area due to ongoing sovereignty disputes, its status as the world’s second-busiest sea-lane, and its rich reserves of natural resources, including rare earth metals, crude oil, and natural gas.

A notable aspect of Moafee’s operational history is its close relationship with another China-linked threat group, DragonOK (G0017). Analysts have observed significant overlaps in their tactics, techniques, and procedures (TTPs), including the use of similar custom tools. This strong resemblance has led researchers to hypothesize various connections between the two groups, such as direct collaboration, shared training regimens, or a common supply chain for their malicious toolkits, potentially indicative of a “production line” approach to cyber operations. While Moafee and DragonOK have historically operated from different regions within China, their intertwined methodologies underscore a coordinated or at least mutually beneficial cyber espionage ecosystem.

Tactics & Techniques

Moafee employs a range of tactics and techniques characteristic of state-sponsored espionage groups, often demonstrating a focus on stealth and persistence. Initial access into target networks typically involves the use of spear phishing emails, a common method for delivering malicious payloads and compromising credentials. To enhance the evasiveness of their operations, Moafee has been observed utilizing password-protected documents and unusually large file sizes to obscure their malicious content from immediate detection.

A specific technique identified in Moafee’s arsenal is binary padding (T1027.001), which is used for obfuscating files and information, making forensic analysis more challenging. For maintaining anonymity and evading geographical tracking, the group leverages proxy tools such as the HUC Packet Transmit Tool (HTRAN) to disguise their origin points. Once inside a network, the malware deployed by Moafee, notably PoisonIvy, exhibits a broad array of capabilities. These include common post-exploitation activities such as keylogging, screen and video capturing, and file transfer. Further, PoisonIvy facilitates application window discovery, establishes persistence through boot or logon autostart execution mechanisms like Registry Run Keys/Startup Folder and Active Setup, and utilizes the Windows Command Shell for command and scripting interpretation. It can create or modify Windows Services for persistence, collect data from local systems, stage data locally before exfiltration, and establish encrypted command and control (C2) channels using symmetric cryptography. The malware also employs execution guardrails, ingress tool transfer, registry modification, process injection (specifically Dynamic-link Library Injection), and incorporates rootkit functionalities to hide its presence.

Notable Campaigns

While comprehensive public details on specific, named Moafee-only campaigns are not extensively documented beyond early analyses, the group’s activities were notably highlighted in a 2014 FireEye report. This research, “The Path to Mass-Producing Cyber Attacks,” was instrumental in establishing the operational links and shared TTPs between Moafee and DragonOK. During this period, FireEye monitored Moafee’s activities between January and March 2014, observing their targeting of military and government entities with interests in the South China Sea and the US defense industrial base.

Although specific campaign names attributed solely to Moafee remain less prominent in public reporting compared to some other advanced persistent threat (APT) groups, the analytical work from 2014 provides a foundational understanding of their operational methodology and strategic objectives. The enduring reference to this early analysis within current threat intelligence frameworks suggests its continued relevance in understanding a facet of China-linked cyber espionage.

Associated Malware & Tools

Moafee utilizes a distinct set of malware and tools, some of which are shared with its closely associated group, DragonOK, indicating a potential shared development or supply chain.

Key malware and tools include:

  • PoisonIvy: This is a widely available Remote Access Trojan (RAT) that Moafee has extensively deployed. It provides adversaries with robust capabilities such as keylogging, capturing screenshots and video, and facilitating file transfers.
  • HUC Packet Transmit Tool (HTRAN): A proxy tool used by Moafee and DragonOK to obfuscate their true geographical location and to tunnel network traffic, thereby complicating attribution and network defense efforts.
  • Mongall: This is a custom-developed Remote Access Trojan (RAT) observed in Moafee’s operations. The custom nature of Mongall, along with NFlog and NewCT/NewCT2, suggests a dedicated development effort or access to exclusive toolsets.
  • NFlog: Another custom RAT associated with Moafee. Notably, “IsSpace” has been identified as an evolution of the NFlog backdoor, a tool also used by both Moafee and DragonOK, underscoring their ongoing shared tool development or access.
  • CT/NewCT/NewCT2: These refer to a family of custom Remote Access Trojans that Moafee has utilized. Like Mongall and NFlog, their customized nature implies internal development or limited distribution, making them more difficult for general threat intelligence to track beyond these specific groups.

The continued use and evolution of these tools, particularly the shared and custom RATs, highlight a persistent and adaptive adversary focused on long-term espionage objectives.

Current Status

As of recent tracking, Moafee (G0002) continues to be recognized and monitored within threat intelligence frameworks, with its entry in the MITRE ATT&CK knowledge base last modified in April 2025. While specific, recent campaigns directly and exclusively attributed to “Moafee” beyond the 2014 FireEye reporting are not prominently detailed in public analysis, its deep operational ties and shared toolset with DragonOK are crucial for understanding its contemporary relevance.

DragonOK, the threat group with significant TTP and tool overlap with Moafee, has been noted for its continued activity, with reports in 2017 indicating it was actively updating its tools and tactics. DragonOK’s targets included various organizations in Japan, Taiwan, Tibet, and Russia, spanning sectors like manufacturing, technology, energy, and higher education. The evolution of shared malware, such as “IsSpace” emerging as a successor to NFlog (used by both groups), suggests that the underlying capabilities and the threat posed by this collective, or its derived entities, persist.

Given the continuous tracking by MITRE and the ongoing evolution and activity of its closely linked counterpart, DragonOK, it is reasonable to infer that the capabilities and threat associated with Moafee, perhaps under a different operational guise or as part of a broader, interconnected cyber espionage effort, remain a concern. While a definitive “active” status for Moafee as a standalone entity with recent dedicated campaigns is not explicitly asserted in all public records, the historical context and ongoing shared operational indicators suggest that the underlying threat intelligence derived from Moafee’s activities remains pertinent for defenders.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call