S0028: SHIPSHAPE
Analyst context for executives and security teams
SHIPSHAPE matters because it represents malware designed to move and exfiltrate data using removable media, including potential movement across disconnected or air-gapped environments. For leaders, the key issue is not only malware detection; it is whether controls, monitoring, and procedures around USB/removable devices are strong enough to protect sensitive networks where normal network telemetry may be absent.
Executive priority
Prioritize SHIPSHAPE as a resilience and governance question for environments that rely on removable media, isolated networks, or manual file transfer processes. Executives should ask whether removable-device use is authorized, logged, technically controlled, and auditable, and whether incident response plans cover data loss or malware propagation where systems are not continuously connected to enterprise monitoring.
Technical view
ATT&CK links SHIPSHAPE to Replication Through Removable Media, Registry Run Keys / Startup Folder, and Shortcut Modification. SOC and IR teams should validate visibility for removable-media insertion and file activity, Windows startup persistence locations, registry run key changes, startup-folder changes, and suspicious shortcut creation or modification. Because the malware object itself has no ATT&CK detection text and no platforms specified, detection engineering should be driven by the related Windows techniques rather than assuming a complete malware-specific analytic exists.
Likely telemetry
- Removable media insertion and mount events
- File creation, copy, rename, and execution activity on removable drives
- Windows Registry changes to Run keys and related autorun persistence locations
- Startup folder file creation or modification events
- Shortcut file creation or modification events, especially in startup-related paths
Detection direction
- Validate whether endpoint logging remains available for systems that are isolated, intermittently connected, or used for removable-media transfer workflows.
- Tune for combinations of removable-media activity followed by execution, persistence changes, or shortcut modification rather than treating every USB insertion as malicious.
- Review allowlisted administrative, software deployment, and user productivity workflows that legitimately write startup entries or shortcuts to reduce false positives.
- For air-gapped or disconnected environments, confirm how logs are collected, preserved, and reviewed after reconnection or manual export.
- Use relationship context carefully: ATT&CK associates SHIPSHAPE with APT30 and specific techniques, but the supplied object does not provide indicators, active campaign details, or guaranteed detection logic.
Mitigation priorities
- Establish and enforce removable-media governance: approved devices, business justification, handling procedures, and audit trails.
- Apply technical controls for removable-device access where feasible, including blocking or restricting unapproved media and limiting execution from removable drives.
- Harden Windows persistence surfaces by monitoring and controlling Registry Run keys, startup folders, and shortcut-based startup behavior.
- Ensure isolated or air-gapped environments have compensating controls, including offline log collection, malware scanning procedures, and incident escalation paths.
- Test incident response playbooks for removable-media propagation and suspected exfiltration across disconnected networks.
Analyst notes and limits
The most useful defensive framing is the intersection of removable-media movement, possible air-gap data movement, and Windows persistence techniques. This object is especially relevant to organizations with sensitive segmented environments, operational networks, regulated data transfer procedures, or high reliance on USB-based workflows.
MITRE provides no official detection text, no malware aliases, no labels, and no platforms directly on the SHIPSHAPE object. Windows-specific guidance comes from the related ATT&CK techniques, not from the malware object platform field. Local device-control policies, endpoint telemetry, and business workflows are required to assess real coverage.
SHIPSHAPE
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder.CitationFireEye APT30 |
| Enterprise | T1091 | Replication Through Removable Media | APT30 may have used the SHIPSHAPE malware to move onto air-gapped networks. SHIPSHAPE targets removable drives to spread to other systems by modifying the drive to use Autorun to execute or by hiding legitimate document files and copying an executable to the folder with the same name as the legitimate document.CitationFireEye APT30 |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder.CitationFireEye APT30 |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | cc70a3677386… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT30
FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024.
Open source URL -
[2]
mitre-attack S0028Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.