Connect with us

Hi, what are you looking for?


Malware & Threats

Chinese Attackers Conduct Cyberespionage for Economic Gain

Chinese Cyberspies Target Myanmar and Other Countries

A threat group believed to be affiliated with the Chinese government has been conducting cyber espionage operations against Myanmar and other countries for economic gain.

Chinese Cyberspies Target Myanmar and Other Countries

A threat group believed to be affiliated with the Chinese government has been conducting cyber espionage operations against Myanmar and other countries for economic gain.

The actor, dubbed “Mofang” by Dutch security firm Fox-IT, has targeted entities in Myanmar, India, Germany, Canada, the United States, Singapore, South Korea and likely other countries since at least February 2012. The attacks have focused on government, military, critical infrastructure, automotive and weapons organizations.

Many of Mofang’s attacks targeted organizations in Myanmar, but one of the most recent campaigns against the country appears to show exactly what type of leverage a nation-state can gain by conducting cyberespionage.

The operation in question was related to Myanmar’s Kyaukphyu special economic zone (SEZ), where China’s National Petroleum Corporation (CNPC) had been investing since 2009 after signing a memorandum of understanding with the government.

In March 2014, the government of Myanmar announced that Singapore-based CPG Corporation had won a consulting tender that put it in charge of overseeing foreign investments in the Kyaukphyu SEZ. In the same year, CPG Corp. and the Myanmar government initiated another tender for setting up infrastructure in this SEZ, and in early 2016 it was announced that China’s CITIC group had won it.

Before CITIC was declared the winner, in mid-2015, Mofang was observed launching attacks against Myanmar government organizations and CPG Corp. Experts believe the information the hackers may have stolen from the targets could have helped the Chinese company win the tender.

Advertisement. Scroll to continue reading.

Chinese cyberspies have often been accused of stealing information that would give the country a competitive advantage, but it’s not often that a specific cyberattack is tied to actual economic benefit for China.

Mofang targets

Fox-IT has connected the Mofang attacks to a single group based on the tools that have been used. Unlike other threat groups, which often leverage exploits to infect their targets, Mofang has relied on social engineering to accomplish the task. The only exploits used by the APT were previously known privilege escalations built into their malware.

Mofang’s toolset consists of two main pieces of malware. One of them is a remote administration tool (RAT) dubbed ShimRat, which allows attackers to manipulate files and folders, upload and download files, and execute programs and commands.

Researchers determined that the development of ShimRat started in 2012 and the threat has been significantly improved over the past years. Similar to other China-based cyberspies, Mofang also uses antivirus hijacking techniques to run ShimRat.

The threat actor has also been using ShimRatReporter, a tool first spotted in late 2014. ShimRatReporter has been used to collect information about the targeted organization’s infrastructure, and to download a second stage payload – usually a customized ShimRat build.

While ShimRat has been known to security firms – some have even mistaken it for the PlugX RAT that is widely used by Chinese APTs – Yonathan Klijnsma, the lead author of Fox-IT’s report on Mofang, says no other security firms have conducted an in-depth investigation of the malware or the threat actor’s activities.

Related: US Charges Chinese Worker for IBM With ‘Economic Espionage’

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...