NOOPLDR

NOOPLDR is a shellcode loader with XML/C# and DLL versions that has been used by MirrorFace to load HiddenFace.^[1]

ID: S9025

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Contributors: Dominik Breitenbacher, ESET

Version: 1.0

Created: 17 April 2026

Last Modified: 22 April 2026

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1140		Deobfuscate/Decode Files or Information	NOOPLDR can decrypt its payload prior to execution.^[1]
Enterprise	T1564		Hide Artifacts	NOOPLDR can hide services used to aid execution.^[2]
Enterprise	T1574	.001	Hijack Execution Flow: DLL	NOOPLDR can be executed via sideloading.^[1]^[2]
Enterprise	T1070	.004	Indicator Removal: File Deletion	NOOPLDR can delete a file containing configuration instructions after use.^[1]
Enterprise	T1112		Modify Registry	NOOPLDR can store its payload in the Registry using a random hex string in `HKCU\SOFTWARE\Microsoft\COM3`.^[1]
Enterprise	T1106		Native API	NOOPLDR can use native APIs `NtProtectVirtualMemory`, `NtWriteVirtualMemory`, and `NtCreateThreadEx` to aid process injection.^[1]
Enterprise	T1027		Obfuscated Files or Information	NOOPLDR can use control flow flattening to help hide malicious code.^[1]^[2]
		.013	Encrypted/Encoded File	The NOOPLDR payload is encrypted with AES256-CBC.^[1]
		.016	Junk Code Insertion	NOOPLDR can insert junk code to obfuscate malicious payloads.^[1]^[2]
Enterprise	T1055		Process Injection	NOOPLDR can inject decrypted payloads into processes including wuauclt.exe., rdrleakdiag.exe, and tabcal.exe.^[1]
Enterprise	T1082		System Information Discovery	NOOPLDR can discover the device ID and hostname from the targeted machine to use for encryption keys.^[1]

ID	Name	References
G1054	MirrorFace	MirrorFace has used NOOPLDR during operations.^[1]