S1221: MOPSLED
Analyst context for executives and security teams
MOPSLED matters because ATT&CK describes it as a Linux, shellcode-based modular backdoor used in cyber espionage activity. Even without an official ATT&CK detection section, the related techniques show why it can be operationally hard to spot: encoded or encrypted content, decoding activity, and command-and-control that can blend into web traffic, legitimate web services, or non-application-layer protocols.
Executive priority
Treat this as a readiness and visibility question for Linux environments, especially high-value servers and infrastructure-adjacent systems. Leaders should ask whether SOC and IR teams can prove they collect usable Linux host telemetry and outbound network evidence, and whether egress to web services and unusual protocols is governed well enough to support investigation. For risk owners, the key decision value is not naming MOPSLED specifically, but validating resilience against modular backdoors that rely on stealth and flexible C2.
Technical view
ATT&CK lists MOPSLED for Linux and relates it to obfuscation/deobfuscation and multiple command-and-control techniques: Encrypted/Encoded File, Deobfuscate/Decode Files or Information, Web Protocols, Non-Application Layer Protocol, Web Service, and Dead Drop Resolver. SOC teams should validate detections and hunts around Linux processes that create, read, or execute suspicious encoded content; unexpected decoding behavior; unusual outbound HTTP/S or web-service access from servers; and network flows using uncommon or policy-violating protocols. Because no official detection guidance is provided, coverage should be tested against behavioral patterns rather than malware-name alerts alone.
Likely telemetry
- Linux endpoint telemetry: process execution, parent/child process relationships, command-line where available, file creation/modification, and execution from unusual paths
- Linux file integrity or EDR evidence for encrypted, encoded, or recently decoded artifacts
- Network flow records from Linux systems, including destination, port, protocol, volume, timing, and directionality
- Proxy, web gateway, DNS, TLS, and HTTP/S metadata for outbound web protocol activity
- Egress firewall logs and alerts for non-standard or non-application-layer protocol usage
Detection direction
- Confirm that Linux servers and other Linux assets are covered by host and network monitoring; many programs have stronger Windows visibility than Linux visibility.
- Tune for behavior tied to the related techniques: encoded/encrypted artifacts followed by decoding or execution, unexpected outbound web traffic from server workloads, and communication patterns inconsistent with the asset role.
- Review allowlisted web services and common HTTP/S destinations carefully; legitimate services can create false positives but also provide cover for C2.
- Use asset context to reduce noise: outbound web activity from a user workstation and from a production Linux server should not be triaged the same way.
- Do not rely on signature or malware-family naming alone, since the ATT&CK object provides no official detection text and describes the malware as modular.
Mitigation priorities
- Prioritize Linux monitoring coverage for high-value systems before relying on detections for this behavior.
- Enforce least-privilege egress policies for servers, including review of which systems require direct Internet, web service, or non-standard protocol access.
- Maintain investigation-ready logging for DNS, proxy, firewall, and Linux endpoint activity so IR can reconstruct outbound C2 paths.
- Harden and regularly review externally exposed or infrastructure-critical Linux systems; where virtualization or edge-adjacent systems are in scope, ensure they are included in vulnerability management and logging programs.
- Use threat-informed testing to validate whether current controls can surface the ATT&CK-related behaviors without depending on a specific MOPSLED indicator.
Analyst notes and limits
The supplied ATT&CK data identifies MOPSLED as a Linux malware family and links it to stealth and command-and-control behaviors. Relationship context includes use by UNC3886, while the official description also references APT41. This take therefore focuses on defensive validation for Linux telemetry, obfuscation handling, and outbound C2 visibility rather than asserting a specific campaign or exposure.
MITRE provides no official detection text, no aliases, and no explicit tactics on the malware object itself. The guidance above is derived from the supplied platform, description, external reference, and related ATT&CK techniques. Local asset roles, network policy, logging quality, and incident evidence are required to determine actual risk or coverage.
MOPSLED
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | MOPSLED can communicate to C2 nodes over HTTP.CitationGoogle Cloud Mandiant UNC3886 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | MOPSLED can encrypt configuration files with a custom ChaCha20 algorithm.CitationGoogle Cloud Mandiant UNC3886 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | MOPSLED can decrypt obfuscated configuration files.CitationGoogle Cloud Mandiant UNC3886 2024 |
| Enterprise | T1102 | Web Service | MOPSLED can use third-party web services such as GitHub and Google Drive for C2.CitationGoogle Cloud Mandiant UNC3886 2024 |
| Enterprise | T1102.001 | Dead Drop Resolver Sub-technique | MOPSLED has the ability to retrieve a C2 address from a dead drop URL.CitationGoogle Cloud Mandiant UNC3886 2024 |
| Enterprise | T1095 | Non-Application Layer Protocol | MOPSLED can use a custom binary protocol over TCP for C2 communication.CitationGoogle Cloud Mandiant UNC3886 2024 |
Groups, software, and campaigns
G1048: UNC3886
UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.[1][2]
G0096: APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 80ed5c35359d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Google Cloud Mandiant UNC3886 2024
Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024.
Open source URL -
[2]
mitre-attack S1221Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.