Threat Actor Profile
High APT
Description

Mofang is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries.(Citation: FOX-IT May 2016 Mofang)

Confidence Score
90%
Known Aliases
Mofang
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (6)
T1027.013 - Encrypted/Encoded File
Defense Evasion
T1027.015 - Compression
Defense Evasion
T1204.001 - Malicious Link
Execution
T1204.002 - Malicious File
Execution
T1566.001 - Spearphishing Attachment
Initial Access
T1566.002 - Spearphishing Link
Initial Access
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Mofang'],
 'created': '2020-05-12T21:23:59.021Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Mofang](https://attack.mitre.org/groups/G0103) is a likely '
                'China-based cyber espionage group, named for its frequent '
                "practice of imitating a victim's infrastructure. This "
                'adversary has been observed since at least May 2012 '
                'conducting focused attacks against government and critical '
                'infrastructure in Myanmar, as well as several other countries '
                'and sectors including military, automobile, and weapons '
                'industries.(Citation: FOX-IT May 2016 Mofang)',
 'external_references': [{'external_id': 'G0103',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0103'},
                         {'description': 'Yonathan Klijnsma. (2016, May 17). '
                                         'Mofang: A politically motivated '
                                         'information stealing adversary. '
                                         'Retrieved May 12, 2020.',
                          'source_name': 'FOX-IT May 2016 Mofang',
                          'url': 'https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf'}],
 'id': 'intrusion-set--88489675-d216-4884-a98f-49a89fcc1643',
 'modified': '2024-04-11T00:41:37.453Z',
 'name': 'Mofang',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.1'}
Quick Actions
Related TTPs (6)
Encrypted/Encoded File
Defense Evasion
Compression
Defense Evasion
Malicious Link
Execution
Malicious File
Execution
Spearphishing Attachment
Initial Access
View All 6 TTPs
Back to Threat Actors
Dashboard Home