Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Mofang

🌐Mofang

🌐 Mofang is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 6 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0103) ↗
14Use cases
0Articles
6Techniques
0IOCs

About this actor (MITRE)

[Mofang](https://attack.mitre.org/groups/G0103) is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries.(Citation: FOX-IT May 2016 Mofang)

Known aliases

Mofang

Top techniques

T1027.013 · Encrypted/Encoded FileT1027.015 · CompressionT1204.001 · Malicious Link

All other tracked techniques

T1204.002 · Malicious FileT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing Link

Detection use cases (14)

Mofang spearphishing-attachment chain: Office app spawns loader from compressed/encrypted dropper AI · profile S Mofang lookalike-infrastructure click: spearphishing link to a domain impersonating the victim org AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Abnormal Security: malicious email opened MITRE match Click on URL whose host doesn't match the sender domain MITRE match Email attachment opened from external sender MITRE match Phishing-link click correlated to endpoint execution MITRE match User clicked through a Safe Links warning page MITRE match Azure AD Device Code Authentication MITRE match