MOPSLED - S1221 (bfcb4a75-b6f0-489b-b506-836bfba3d70e)

MOPSLED is a shellcode-based modular backdoor that has been used by China-nexus cyber espionage actors including UNC3886 and APT41.(Citation: Google Cloud Mandiant UNC3886 2024)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
MOPSLED - S1221 (bfcb4a75-b6f0-489b-b506-836bfba3d70e)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	1
MOPSLED - S1221 (bfcb4a75-b6f0-489b-b506-836bfba3d70e)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	1
MOPSLED - S1221 (bfcb4a75-b6f0-489b-b506-836bfba3d70e)	Malware	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	MOPSLED - S1221 (bfcb4a75-b6f0-489b-b506-836bfba3d70e)	Malware	1
MOPSLED - S1221 (bfcb4a75-b6f0-489b-b506-836bfba3d70e)	Malware	Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	1
MOPSLED - S1221 (bfcb4a75-b6f0-489b-b506-836bfba3d70e)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2