{"id":28486167,"url":"https://github.com/fox-it/mofang","last_synced_at":"2026-02-27T14:06:26.048Z","repository":{"id":74469275,"uuid":"61159137","full_name":"fox-it/mofang","owner":"fox-it","description":"Mofang Indicators of Compromise","archived":false,"fork":false,"pushed_at":"2016-06-14T22:42:43.000Z","size":16,"stargazers_count":9,"open_issues_count":0,"forks_count":5,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-06-08T01:11:24.454Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fox-it.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2016-06-14T22:11:26.000Z","updated_at":"2024-08-12T19:23:20.000Z","dependencies_parsed_at":null,"dependency_job_id":"cdf8b169-6974-4133-a435-be4a5b0b943a","html_url":"https://github.com/fox-it/mofang","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/fox-it/mofang","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fox-it%2Fmofang","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fox-it%2Fmofang/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fox-it%2Fmofang/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fox-it%2Fmofang/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fox-it","download_url":"https://codeload.github.com/fox-it/mofang/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fox-it%2Fmofang/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263111487,"owners_count":23415468,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-08T01:10:27.949Z","updated_at":"2025-10-27T03:13:32.771Z","avatar_url":"https://github.com/fox-it.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"Mofang Indicators of Compromise\n==================================\n\nThis repository contains the indicators of compromise for the Mofang group.\n\n\u003e Mofang (模仿, Mófang, to imitate) is a threat actor that almost certainly operates out of China and is probably government-affiliated.\n\nFull report on the Mofang group can be found here:\n\n * [http://f0x.nl/mofang](http://f0x.nl/mofang) (short link)\n * [http://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/](http://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/)\n\n### Available IOCs\n\n| filename                                      | description                                                                                              |\n|-----------------------------------------------|----------------------------------------------------------------------------------------------------------|\n| *[domains.txt](domains.txt)*             | The C2 domains used by ShimRat and/o\tr ShimRatReporter |\n| *[ips.txt](ips.txt)* | The C2 IPs used by ShimRat and/or ShimRatReporter |\n| *[hashes.txt](hashes.txt)* | The hashes for ShimRat and ShimRatReporter samples |\n \n### Available signatures\n| filename                                      | description                                                                                              |\n|-----------------------------------------------|----------------------------------------------------------------------------------------------------------|\n| *[snort_signatures.txt](snort_signatures.txt)* | Contains Snort signatures to detect Shimrat and ShimRatReporter |\n| *[yara_signatures.txt](yara_signatures.txt)* | Contains Yara signatures to detect Shimrat and ShimRatReporter |\n\n### Availabe STIX Package\n| filename                                      | description                                                                                              |\n|-----------------------------------------------|------------------------------------------\n| *[FoxIT_Mofang_STIX_1_2.xml](FoxIT_Mofang_STIX_1_2.xml)* | STIX package containing all the indicators and signatures |\n\n### Shim Databases\n\nAs described in the report, ShimRat makes use of shims to obtain persistence on a system. The following files are the observed shim databases used by ShimRat. These files are the sdb's containing the fix information to inject the malicious ShimRat DLL into a process.\n\n|filename                                                                                    |description|\n|--------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------|\n| *[{503EC3D3-165A-4770-B799-099D43B833EC}.sdb]({503EC3D3-165A-4770-B799-099D43B833EC}.sdb)* | The shim used for persistence on 32-bit Windows installations |\n| *[{f8c4cc07-6dc4-418f-b72b-304fcdb64052}.sdb]({f8c4cc07-6dc4-418f-b72b-304fcdb64052}.sdb)* | The shim used for persistence on 64-bit Windows installations |\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffox-it%2Fmofang","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffox-it%2Fmofang","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffox-it%2Fmofang/lists"}