S9025: NOOPLDR
NOOPLDR is a shellcode loader with XML/C# and DLL versions that has been used by MirrorFace to load HiddenFace.[1]
Analyst context for executives and security teams
NOOPLDR matters because it is described by ATT&CK as a Windows shellcode loader, with XML/C# and DLL versions, used by MirrorFace to load HiddenFace. For leaders, the decision point is not just the malware name; it is whether Windows endpoint monitoring can see trusted-tool abuse, DLL activity, process injection, registry changes, decoding/deobfuscation, and cleanup behavior before a loader enables follow-on malware.
Executive priority
Prioritize NOOPLDR as a readiness test for Windows endpoint visibility and incident response evidence retention. Its ATT&CK relationships point to stealth-heavy behaviors, including obfuscation, encoded files, junk code, process injection, file deletion, registry modification, MSBuild abuse, and DLL abuse. Executives should ask whether SOC and IR teams can reconstruct loader activity when artifacts are hidden or deleted, and whether controls around developer/build utilities and DLL loading are governed outside developer workstations.
Technical view
Validate coverage on Windows hosts for the linked behaviors: T1127.001 MSBuild execution of XML/C# content, T1574.001 DLL abuse, T1055 process injection, T1112 registry modification, T1106 native API use, T1140 decoding/deobfuscation, T1070.004 file deletion, T1082 system information discovery, and T1027/T1027.013/T1027.016 obfuscation patterns. Treat MirrorFace and HiddenFace relationships as context for threat-informed hunting, not as proof of local exposure.
Likely telemetry
- Windows process creation and command-line telemetry, especially MSBuild.exe and unusual parent/child process chains
- Endpoint file creation, modification, deletion, and rename events for XML, C#/build artifacts, DLLs, and encoded or obfuscated payload-like files
- DLL load telemetry and image/module load context
- Registry write/change telemetry, including user and administrative hives where available
- EDR or host telemetry for process injection, cross-process memory access, and suspicious native API-related behavior
Detection direction
- Confirm whether MSBuild use is baselined by host role; developer systems may generate noise, while MSBuild execution on non-build endpoints should receive higher scrutiny.
- Hunt for combinations rather than single indicators: MSBuild or DLL activity followed by decoding, registry modification, injection-like behavior, and file deletion is more meaningful than any one event alone.
- Tune for obfuscation-resistant evidence: encoded content, junk-code-heavy samples, and deleted files can weaken static signatures, so endpoint behavioral telemetry and retained forensic artifacts are important.
- Review DLL search/load context for unusual locations or unexpected processes, without assuming all DLL loads are malicious.
- Correlate registry modifications with nearby process execution and file activity to separate administrative change from suspicious persistence or evasion behavior.
Mitigation priorities
- Start with visibility: ensure Windows endpoint logging and EDR retention cover process, file, registry, DLL/module load, and injection-relevant events.
- Reduce unnecessary exposure of trusted execution utilities by governing where MSBuild is installed, expected, or allowed to execute outside developer/build environments.
- Apply least privilege for users and administrators to limit registry modification and execution paths that require elevated access.
- Use application control or execution policy approaches where appropriate to restrict unexpected DLL, build-file, or loader execution patterns.
- Prepare IR playbooks for stealthy loader cases, including rapid collection before file deletion and triage of decoded/deobfuscated payload artifacts.
Analyst notes and limits
ATT&CK provides no official detection text for NOOPLDR, so this take is derived from the official description, the Windows platform field, the cited Trend Micro external reference, and the supplied technique relationships. The most defensible use is as a threat-informed validation case for Windows loader behavior rather than as a standalone indicator set.
The supplied ATT&CK object does not include indicators, hashes, command lines, infrastructure, procedure examples, or explicit detection analytics. Tactics are not specified for the malware object. Local environment baselines are required to distinguish legitimate MSBuild, DLL, registry, and system discovery activity from suspicious behavior.
NOOPLDR
NOOPLDR is a shellcode loader with XML/C# and DLL versions that has been used by MirrorFace to load HiddenFace.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1055 | Process Injection | NOOPLDR can inject decrypted payloads into processes including wuauclt.exe., rdrleakdiag.exe, and tabcal.exe.CitationTrend Micro Earth Kasha NOV 2024 |
| Enterprise | T1127.001 | MSBuild Sub-technique | NOOPLDR can be executed via MSBuild.CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | NOOPLDR can decrypt its payload prior to execution.CitationTrend Micro Earth Kasha NOV 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | The NOOPLDR payload is encrypted with AES256-CBC.CitationTrend Micro Earth Kasha NOV 2024 |
| Enterprise | T1070.004 | File Deletion Sub-technique | NOOPLDR can delete a file containing configuration instructions after use.CitationTrend Micro Earth Kasha NOV 2024 |
| Enterprise | T1027 | Obfuscated Files or Information | NOOPLDR can use control flow flattening to help hide malicious code.CitationTrend Micro Earth Kasha NOV 2024CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1106 | Native API | NOOPLDR can use native APIs `NtProtectVirtualMemory`, `NtWriteVirtualMemory`, and `NtCreateThreadEx` to aid process injection.CitationTrend Micro Earth Kasha NOV 2024 |
| Enterprise | T1112 | Modify Registry | NOOPLDR can store its payload in the Registry using a random hex string in `HKCU\SOFTWARE\Microsoft\COM3`.CitationTrend Micro Earth Kasha NOV 2024 |
| Enterprise | T1574.001 | DLL Sub-technique | NOOPLDR can be executed via sideloading.CitationTrend Micro Earth Kasha NOV 2024CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1564 | Hide Artifacts | NOOPLDR can hide services used to aid execution.CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1082 | System Information Discovery | NOOPLDR can discover the device ID and hostname from the targeted machine to use for encryption keys.CitationTrend Micro Earth Kasha NOV 2024 |
| Enterprise | T1027.016 | Junk Code Insertion Sub-technique | NOOPLDR can insert junk code to obfuscate malicious payloads.CitationTrend Micro Earth Kasha NOV 2024CitationJPCERT MirrorFace JUL 2024 |
Groups, software, and campaigns
G1054: MirrorFace
MirrorFace is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the menuPass umbrella based on targeting, tools, and infrastructure overlaps. MirrorFace has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent MirrorFace operations included targets in Central Europe and featured use of LODEINFO, HiddenFace, and UPPERCUT malware.[1][2][3][4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 42f31bdc5a9a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Trend Micro Earth Kasha NOV 2024
Trend Micro. (2024, November 19). Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella. Retrieved April 17, 2026.
Open source URL -
[2]
mitre-attack S9025Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.