Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S1222: RIFLESPINE

RIFLESPINE is a cross-platform backdoor that leverages Google Drive for file transfer and command execution.[1]

EnterpriseS1222MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

RIFLESPINE matters because it is a Linux-listed backdoor that uses Google Drive for both file transfer and command execution. For leaders, the business issue is not only malware on a host; it is whether trusted cloud storage traffic can become a command, control, staging, and exfiltration path without being noticed.

Executive priority

Prioritize validation of Linux monitoring, outbound web/cloud-storage governance, and incident response procedures for systems that are allowed to reach Google Drive or similar web services. This object is associated in ATT&CK with UNC3886, and its mapped behaviors span persistence, discovery, command and control, ingress transfer, collection staging, and cloud-storage exfiltration. Decision-makers should ask whether current controls can distinguish legitimate business use of cloud storage from suspicious automated transfer and command activity.

Technical view

ATT&CK provides no official detection text for RIFLESPINE, so defenders should validate coverage from the mapped techniques: Unix shell execution, web-protocol C2, local data staging, system information discovery, bidirectional web-service communication, ingress tool transfer, deobfuscation/decoding, systemd service persistence, exfiltration to cloud storage, and symmetric cryptography. On Linux systems, focus on process execution, shell command history where available, service creation or modification under systemd, unusual local staging paths, outbound HTTPS/web traffic patterns, and file movement involving Google Drive-related services.

Likely telemetry

  • Linux process execution and parent-child process data
  • Shell command logging where enabled
  • systemd unit file creation, modification, enablement, and service start events
  • File creation, modification, archive/staging activity, and unusual local directories
  • Outbound web proxy, DNS, firewall, and network flow records

Detection direction

  • Confirm whether Linux endpoints and servers actually produce process, file, and service telemetry sufficient to investigate ATT&CK techniques T1059.004, T1543.002, T1074.001, and T1082.
  • Tune network analytics for unusual automated access to cloud storage over web protocols, especially hosts or service accounts that do not normally interact with Google Drive.
  • Correlate cloud-storage upload/download activity with local staging, shell execution, new systemd services, and ingress file transfer rather than alerting on cloud access alone.
  • Treat encrypted or opaque outbound traffic as context, not proof; symmetric cryptography is mapped, but local baselines and proxy visibility determine detection value.
  • Account for false positives from legitimate backup, synchronization, administration, and developer workflows that use cloud storage or scripted web requests.

Mitigation priorities

  • Establish business-approved cloud storage use cases and restrict or monitor unapproved cloud-storage access from Linux servers and sensitive environments.
  • Harden Linux persistence surfaces by controlling who can create or modify systemd services and by monitoring service configuration changes.
  • Improve egress governance with proxy, DNS, and firewall visibility for outbound web traffic from critical hosts.
  • Maintain endpoint logging and retention sufficient for incident response reconstruction of shell execution, file staging, and tool transfer.
  • Use least privilege and segmentation to limit what a compromised Linux host can access, stage, and exfiltrate.
Analyst notes and limits

The supplied ATT&CK relationship context ties RIFLESPINE to UNC3886 and to techniques across execution, command and control, collection, discovery, persistence, privilege escalation, exfiltration, and stealth. The most decision-relevant feature is use of a legitimate cloud service channel, because this can bypass simplistic blocking approaches and complicate SOC triage.

MITRE does not provide official detection guidance for this object in the supplied fields. The platform field lists Linux, while the description calls the malware cross-platform; this take therefore emphasizes Linux because that is the supplied platform. Local telemetry, cloud logging availability, and approved Google Drive usage are required to determine actual exposure or coverage.

Official MITRE ATT&CK definition

RIFLESPINE

RIFLESPINE is a cross-platform backdoor that leverages Google Drive for file transfer and command execution.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

10 rows
Domain ID Name Relationship / procedure
Enterprise T1102.002 Bidirectional Communication Sub-technique

RIFLESPINE can retrieve C2 commands from an encrypted file on Google Drive then upload the results of command execution back to Google Drive.CitationGoogle Cloud Mandiant UNC3886 2024
Enterprise T1567.002 Exfiltration to Cloud Storage Sub-technique

RIFLESPINE can upload results from executed C2 commands to cloud storage.CitationGoogle Cloud Mandiant UNC3886 2024
Enterprise T1573.001 Symmetric Cryptography Sub-technique

RIFLESPINE can use the AES algorithm to encrypt C2 data.CitationGoogle Cloud Mandiant UNC3886 2024
Enterprise T1105 Ingress Tool Transfer

RIFLESPINE can download and execute files.CitationGoogle Cloud Mandiant UNC3886 2024
Enterprise T1543.002 Systemd Service Sub-technique

RIFLESPINE can create a systemd service file for execution.CitationGoogle Cloud Mandiant UNC3886 2024
Enterprise T1140 Deobfuscate/Decode Files or Information

RIFLESPINE can deobfuscate encrypted files prior to execution on targeted hosts.CitationGoogle Cloud Mandiant UNC3886 2024
Enterprise T1082 System Information Discovery

RIFLESPINE can collect system information after installation on infected systems.CitationGoogle Cloud Mandiant UNC3886 2024
Enterprise T1071.001 Web Protocols Sub-technique

RIFLESPINE can use HTTP `GET` and `PUT` to upload and download files.CitationGoogle Cloud Mandiant UNC3886 2024
Enterprise T1059.004 Unix Shell Sub-technique

RIFLESPINE can execute commands with `/bin/sh`.CitationGoogle Cloud Mandiant UNC3886 2024
Enterprise T1074.001 Local Data Staging Sub-technique

RIFLESPINE can stage the output from executed C2 commands to a temporary file.CitationGoogle Cloud Mandiant UNC3886 2024
Associated objects

Groups, software, and campaigns

Group Enterprise

G1048: UNC3886

UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.[1][2]

Relationship explorer

All related ATT&CK context

uses · Technique T1102.002: Bidirectional Communication Enterprise uses · Technique T1567.002: Exfiltration to Cloud Storage Enterprise uses · Technique T1573.001: Symmetric Cryptography Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1543.002: Systemd Service Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Group G1048: UNC3886 Enterprise uses · Technique T1059.004: Unix Shell Enterprise uses · Technique T1074.001: Local Data Staging Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1bef797e8de83779...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1bef797e8de8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Google Cloud Mandiant UNC3886 2024

    Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024.

    Open source URL
  2. [2]
    mitre-attack S1222
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use