Cyber Threat Actor: PT_Moisha

PT_Moisha, also known as Moisha, is a ransomware group that has been linked to China based on publicly available information. The group identifies itself as a ransomware actor and has been observed using the qTox platform for communication with victims and researchers. Despite being described as newly identified in open sources, PT_Moisha claims to be an established threat actor in its interactions.

The group’s only publicly reported operation targeted Aoyuan Healthy Life Group, a subsidiary of the China Aoyuan Group. China Aoyuan Group is headquartered in Guangzhou, Guangdong District, was founded in 1996, and became listed on the Hong Kong Stock Exchange in October 2007, with its registered office situated in the Cayman Islands. Aoyuan Healthy Life Group maintains operational offices in Sydney, Australia, as well as in Toronto and Vancouver, Canada, reflecting an international presence across multiple regions.

During the incident on September 28 2022, PT_Moisha exfiltrated approximately 200 GB of documents from the victim’s network and provided a 200 MB sample consisting of 90 files as proof of the data theft. The attackers communicated with the victim and with journalists via qTox, asserting that they had retained the full dataset after the breach. No details regarding ransom demands, payment negotiations, or specific operational disruptions were disclosed in the available reports.

As of the current open‑source record, the September 2022 attack on Aoyuan Healthy Life Group represents the sole publicly documented campaign attributed to PT_Moisha, and no additional information about their tooling, malware families, initial access vectors, or affiliations with state or criminal entities has been made available.