1. Home
  2. Software
  3. MOPSLED

MOPSLED

MOPSLED is a shellcode-based modular backdoor that has been used by China-nexus cyber espionage actors including UNC3886 and APT41.[1]

ID: S1221
Type: MALWARE
Platforms: Linux
Version: 1.0
Created: 11 June 2025
Last Modified: 11 June 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

MOPSLED can communicate to C2 nodes over HTTP.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

MOPSLED can decrypt obfuscated configuration files.[1]
Enterprise T1095 Non-Application Layer Protocol

MOPSLED can use a custom binary protocol over TCP for C2 communication.[1]
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

MOPSLED can encrypt configuration files with a custom ChaCha20 algorithm.[1]
Enterprise T1102 Web Service

MOPSLED can use third-party web services such as GitHub and Google Drive for C2.[1]
.001 Dead Drop Resolver

MOPSLED has the ability to retrieve a C2 address from a dead drop URL.[1]

Groups That Use This Software

ID Name References
G1048 UNC3886

[1]
G0096 APT41

[1]

References

  1. Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024.