Skip to content

S1221 MOPSLED

MOPSLED is a shellcode-based modular backdoor that has been used by China-nexus cyber espionage actors including UNC3886 and APT41.1

Item Value
ID S1221
Associated Names
Type MALWARE
Version 1.0
Created 11 June 2025
Last Modified 11 June 2025
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols MOPSLED can communicate to C2 nodes over HTTP.1
enterprise T1140 Deobfuscate/Decode Files or Information MOPSLED can decrypt obfuscated configuration files.1
enterprise T1095 Non-Application Layer Protocol MOPSLED can use a custom binary protocol over TCP for C2 communication.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.013 Encrypted/Encoded File MOPSLED can encrypt configuration files with a custom ChaCha20 algorithm.1
enterprise T1102 Web Service MOPSLED can use third-party web services such as GitHub and Google Drive for C2.1
enterprise T1102.001 Dead Drop Resolver MOPSLED has the ability to retrieve a C2 address from a dead drop URL.1

Groups That Use This Software

ID Name References
G1048 UNC3886 1
G0096 APT41 1

References

  1. Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024.