G0013: APT30
Analyst context for executives and security teams
APT30 matters less as a name to memorize and more as a planning case for long-running espionage tradecraft that can combine targeted email entry with Windows backdoors and removable-media data movement. The supplied ATT&CK relationships highlight spearphishing attachments, user-opened malicious files, and malware that can propagate or exfiltrate over removable devices, including possible movement across air-gapped environments. For leaders, this makes APT30 relevant to executive risk discussions about sensitive data protection, user-targeted compromise, removable media governance, and incident response readiness for segmented or offline networks.
Executive priority
Prioritize validation where espionage risk, sensitive information, and removable-media workflows intersect. Executives should ask whether the organization can prove control over attachment-based initial access, user execution, Windows backdoor detection, and USB/removable-device use in high-value environments. The decision value is audit and resilience: if a business relies on air-gapped, segmented, or operationally sensitive systems, removable-media monitoring and response procedures should be treated as material controls, not niche IT policy.
Technical view
ATT&CK does not provide a detection section for APT30 itself, so defenders should pivot from the relationships. Validate coverage for T1566.001 Spearphishing Attachment and T1204.002 Malicious File across email security, endpoint telemetry, and user-execution events. For related software, review detections and hunt logic for BACKSPACE, NETEAGLE, SPACESHIP, FLASHFLOOD, and SHIPSHAPE where applicable, especially on Windows for the related Windows backdoors and malware. Because several related tools are described as supporting propagation and exfiltration over removable devices, IR and SOC teams should confirm they can reconstruct removable-media insertion, file writes, execution from removable paths, and unusual archive or data staging activity around those events.
Likely telemetry
- Email gateway and mailbox logs for inbound attachments, sender metadata, attachment names, hashes, and delivery disposition
- Endpoint process creation and file execution telemetry, especially user-launched documents, scripts, executables, shortcuts, or control panel items
- EDR/antimalware alerts and file reputation data for known or suspicious malware associated with the related software objects
- Windows host logs and EDR telemetry for persistence, backdoor-like process behavior, and unusual network connections where available
- Removable media insertion/removal events, device identifiers, volume labels, and file copy activity
Detection direction
- Do not build coverage around the group name alone; map detections to the related techniques and software relationships supplied by ATT&CK.
- Test whether phishing attachment detections preserve enough evidence to support IR decisions: recipient, attachment hash, file type, delivery outcome, and whether the user opened the file.
- Tune malicious-file detections to distinguish normal document handling from user-launched files that spawn unusual child processes or write executable content.
- For environments using removable media, validate logging before an incident: many blind spots come from missing USB device events, missing file-copy telemetry, or no correlation between media insertion and execution.
- Where Windows is in scope for the related software, correlate endpoint alerts with removable-media events and suspicious network behavior rather than relying on single indicators.
Mitigation priorities
- Start with governance: identify business processes that require removable media and classify which assets or enclaves are allowed to use it.
- Harden email attachment handling through filtering, detonation or inspection where available, attachment type restrictions, and clear escalation paths for suspicious messages.
- Reduce user-execution risk with least privilege, application control where feasible, endpoint protection, and user reporting workflows for suspicious attachments.
- Apply removable-media controls appropriate to business need, such as device authorization, read/write restrictions, scanning requirements, and logging retention.
- Ensure high-value, segmented, or air-gapped environments have documented media transfer procedures and evidence collection expectations.
Analyst notes and limits
The official ATT&CK description identifies APT30 as a group suspected to be associated with the Chinese government and notes that Naikon shares some characteristics but does not appear to be an exact match. The strongest actionable context in the supplied data comes from relationships to spearphishing attachment, malicious file execution, and multiple malware families, including removable-device propagation and exfiltration capabilities. This take therefore emphasizes control validation and telemetry readiness rather than attribution-driven conclusions.
ATT&CK supplies no group-level platforms, tactics, or detection guidance for this object. The assessment is constrained to the official description, external references, and listed relationships. Local exposure, active targeting, malware presence, and detection coverage cannot be inferred from this object alone and require environment-specific telemetry and threat intelligence validation.
APT30
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | APT30 has used spearphishing emails with malicious DOC attachments.CitationFireEye APT30 |
| Enterprise | T1204.002 | Malicious File Sub-technique | APT30 has relied on users to execute malicious file attachments delivered via spearphishing emails.CitationFireEye APT30 |
Groups, software, and campaigns
S0028: SHIPSHAPE
S0031: BACKSPACE
S0036: FLASHFLOOD
FLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. [1]
S0034: NETEAGLE
S0035: SPACESHIP
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 33b3346ae882… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT30
FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024.
Open source URL -
[2]
Baumgartner Golovkin Naikon 2015
Baumgartner, K., Golovkin, M.. (2015, May 14). The Naikon APT. Retrieved January 14, 2015.
Open source URL -
[3]
APT30
(Citation: FireEye APT30) (Citation: Baumgartner Golovkin Naikon 2015)
-
[4]
mitre-attack G0013Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.