>samit_hota
Back to adversary profiles
G0103HighActive

Mofang (G0103): Persistent Cyber Espionage Operations

Samit Hota·
Suspected Origin
China
Motivation
Espionage, Information Theft, Economic Gain, Geopolitical Influence
Aliases
None documented
Target Sectors
Government, Critical Infrastructure, Military, Automotive, Weapons Industries, Defense, Engineering, Healthcare, Media, Telecommunications
Associated Malware
ShimRat, ShimRatReporter, Mimikatz, Nibatad, Termite, Vcrodat, Living off the Land
#threat-actor#g0103

Overview

Mofang, designated G0103 in the MITRE ATT&CK framework, is a highly effective and likely China-based cyber espionage group that has been operational since at least May 2012. Known for its meticulous preparation and adaptable strategies, Mofang derives its name, meaning “to imitate” (模仿, Mófǎng), from its characteristic practice of mimicking a victim’s infrastructure to evade detection. While primarily focused on government and critical infrastructure in Myanmar, the group’s activities extend to a diverse array of sectors and countries globally, underscoring its broad strategic interests. This adversary is believed to be government-affiliated, with its operations closely aligning with China’s geopolitical and economic objectives, particularly concerning investments and technological advancements perceived as vital to Chinese influence.

Mofang’s motivation is squarely centered on information theft and espionage, aiming to acquire intelligence that provides a strategic advantage for Chinese interests. This includes industrial secrets, political insights, and critical data from government bodies, military installations, and high-tech industries. The group’s targets span critical sectors such as government, military, critical infrastructure, the automotive and weapons industries, defense, engineering, healthcare, media, and telecommunications. Geographically, Mofang has been observed conducting campaigns against organizations in Myanmar, India, Germany, the United States, Canada, Singapore, and South Korea, indicating a wide-ranging intelligence collection mandate.

The group operates under several aliases used by different security vendors, including Whitefly (Symantec), TEMP.Mimic (FireEye), Bronze Walker (SecureWorks), ATK 83 (Thales), SectorM04 (ThreatRecon), and potentially “Superman”. The consistent use of specific tools and distinct attack methodologies across these campaigns strongly suggests a single, unified threat group behind these diverse operations.

Tactics & Techniques

Mofang’s operational methodology highlights a preference for stealth and precision over brute-force exploitation. The group notably avoids relying on zero-day exploits for initial infection, instead leveraging highly effective social engineering tactics to gain initial footholds. This often manifests as spearphishing campaigns, where targets receive malicious emails containing booby-trapped documents (such as PDFs or Excel files) or links. Successful compromise typically hinges on user interaction, requiring the victim to click a malicious link or open an infected attachment.

Once the initial access is established, Mofang employs a methodical, three-stage approach to achieve its objectives:

  1. Compromise for Reconnaissance: The initial intrusion aims to gather critical information about the target’s network infrastructure and internal operations. This reconnaissance phase is crucial for planning subsequent stages.
  2. Faux Infrastructure Setup: To maintain a low profile and avoid detection, Mofang establishes command and control (C2) infrastructure that mimics legitimate services or even aspects of the victim’s own environment. This can involve setting up fake Google mail domains, imitating travel agencies, or leveraging compromised legitimate websites and expired domains for payload staging and C2 communication.
  3. Main Compromise for Action on Objective: With reconnaissance complete and a stable C2 established, the group proceeds to its primary objectives, typically focusing on data exfiltration and maintaining persistent access.

Further technical tactics and techniques include the encryption and compression of payloads before delivery, a measure to hinder detection and analysis. While Mofang generally eschews initial exploitation, its custom malware often incorporates privilege elevation exploits for known vulnerabilities to expand its access within compromised systems. The group also engages in antivirus hijacking techniques to bypass security controls and utilizes “living off the land” (LoL) binaries and scripts to blend in with legitimate network activity.

Notable Campaigns

Mofang has been active for over a decade, with its earliest observed activity dating back to February 2012. One of the most significant and illuminating campaigns attributed to Mofang involved targeted attacks against government and critical infrastructure entities in Myanmar, specifically focusing on the Kyaukphyu Special Economic Zone (SEZ). This campaign is a prime example of how Mofang’s cyber espionage directly aligns with China’s economic and geopolitical interests. Reports indicate that Mofang attacked Myanmar government organizations and CPG Corporation, a Singapore-based firm involved in overseeing foreign investments in the Kyaukphyu SEZ, in mid-2015. This activity occurred prior to China’s CITIC group winning a tender for infrastructure setup in the same SEZ, strongly suggesting that Mofang’s information theft efforts were intended to give Chinese entities a competitive advantage in the bidding process.

Other notable incidents include attacks against exhibitors at the 2013 MSME DEFEXPO in India, and campaigns leveraging lures related to Citrix or documents discussing LED lighting and semiconductor technology, demonstrating the group’s varied targeting and lure development. While not explicitly detailed in primary Mofang reports, some intelligence links “Whitefly, Mofang” to the 2018 SingHealth breach in Singapore, an incident that saw the theft of personal data from 1.5 million patients, including the Prime Minister. This highlights the potential for Mofang or closely related entities to engage in large-scale data exfiltration impacting sensitive public sector data.

Associated Malware & Tools

Mofang maintains a distinct and proprietary toolset, alongside leveraging some commonly available utilities:

  • ShimRat: This is Mofang’s primary remote access Trojan (RAT). ShimRat is notable for its persistence mechanism, which exploits Windows’ “shims” (application compatibility shims) to maintain a foothold on compromised systems. Its development dates back to at least 2012, with continuous improvements observed over the years. Early analysis even led some researchers to initially mistake ShimRat for PlugX due to functional similarities, though further investigation confirmed it as a distinct tool used by Mofang.
  • ShimRatReporter: This companion tool, first identified in late 2014, is used for initial reconnaissance. It collects detailed information about the target organization’s infrastructure and is often responsible for downloading the more potent ShimRat backdoor as a second-stage payload.
  • Mimikatz: Mofang has been observed using this well-known post-exploitation tool to extract credentials from memory, facilitating lateral movement and privilege escalation within a compromised network.
  • Nibatad: Another tool associated with Mofang, its specific functionalities are less publicly detailed but it’s part of the group’s operational toolkit.
  • Termite: Similar to Nibatad, Termite is listed among Mofang’s tools, indicating its role in the group’s various stages of attack.
  • Vcrodat: This malware is also attributed to Mofang, further expanding their custom toolset for covert operations.
  • Living off the Land (LoL) Binaries: Mofang frequently utilizes legitimate system tools and features already present on target systems to perform tasks like discovery, execution, and persistence, making their activities harder to distinguish from normal network behavior.

Current Status

As of recent threat intelligence updates, Mofang (G0103) remains a relevant and actively tracked threat actor. While detailed public reports on specific, novel Mofang campaigns in the last couple of years are not readily available, the group’s profile in the MITRE ATT&CK framework was last modified in April 2024, indicating continued monitoring and assessment of its tactics and relevance. Similarly, “Threat Group Cards” maintains an updated entry for “Whitefly, Mofang” with a last change date of August 2025, suggesting that the intelligence community continues to consider them an active and evolving threat.

The longevity of Mofang’s operations, dating back to 2012, combined with its consistent focus on strategic espionage, implies a well-resourced and persistent adversary. Although their reliance on social engineering rather than zero-day exploits might suggest a less technically advanced approach than some other nation-state groups, their ability to meticulously plan campaigns, establish sophisticated C2 infrastructure, and adapt their lures demonstrates a high level of operational maturity. Organizations in Mofang’s typical target sectors and regions should continue to prioritize robust defenses against social engineering, maintain strong network segmentation, and monitor for indicators associated with ShimRat and other known Mofang tools. The group’s consistent alignment with broader Chinese strategic interests suggests its activities are likely to persist as long as those objectives remain in focus.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call