S0031: BACKSPACE
Analyst context for executives and security teams
BACKSPACE is a Windows backdoor associated in ATT&CK with APT30 and documented as dating back to at least 2005. Its decision value is not that it is new, but that the mapped behaviors cover a practical intrusion lifecycle: persistence through registry run keys or shortcuts, host discovery, command execution, web-based command-and-control, internal proxying, encoded C2, possible firewall impairment, and exfiltration over the C2 channel. For leaders, this is a useful test case for whether Windows endpoint, network, and incident response capabilities can prove what a backdoor did after initial access.
Executive priority
Prioritize this as a control-validation and response-readiness scenario rather than a standalone malware alert. Executives should ask whether the organization can rapidly answer: which Windows hosts changed startup or registry settings, which processes launched command shells, what web traffic looked abnormal, whether data left over an existing C2 channel, and whether firewall settings were modified. These answers support business continuity, incident scoping, audit evidence, and decisions about containment when a backdoor may have persistence and exfiltration capability.
Technical view
SOC and IR teams should validate coverage around the ATT&CK relationships supplied for BACKSPACE: Windows Command Shell execution, registry query and modification, registry run key or startup folder persistence, shortcut modification, process/system/file discovery, web-protocol C2, multi-stage channels, internal proxy behavior, non-standard encoding, firewall modification, and exfiltration over C2. Because ATT&CK provides no official detection text for this malware, detection engineering should be behavior-led and correlation-based rather than relying on a named signature alone.
Likely telemetry
- Windows endpoint process creation events, including command shell launches and parent/child process context
- Windows Registry access and modification telemetry, especially Run keys and other startup-related locations
- Startup folder and shortcut file creation or modification events
- Host firewall configuration, service, and rule-change logs
- File and directory enumeration activity where endpoint telemetry supports it
Detection direction
- Build detections around combinations of behaviors: persistence change plus command shell execution plus outbound web traffic is more meaningful than any single event alone.
- Tune registry and startup-folder monitoring to reduce administrative noise while preserving visibility into new or modified autorun entries on Windows hosts.
- Review command shell detections for remote or unusual parent processes, but account for legitimate administrative scripts and software management activity.
- Analyze web protocol traffic for unusual beaconing, rare destinations, abnormal request patterns, or encoded payload characteristics; avoid assuming all HTTP/S traffic is benign.
- Validate whether internal east-west traffic can reveal proxy-like behavior, since internal proxying can reduce the number of systems making direct outbound C2 connections.
Mitigation priorities
- Ensure Windows endpoint logging and centralized retention are sufficient to investigate registry, startup, process, firewall, and network behaviors.
- Harden and monitor persistence locations such as Registry Run keys, startup folders, and shortcut-based execution paths.
- Restrict and monitor unnecessary command shell use where operationally feasible, especially from unusual parent processes or user contexts.
- Apply least privilege so ordinary user contexts cannot broadly modify sensitive registry areas or firewall configuration.
- Maintain egress controls and proxy logging for web protocols so C2 and exfiltration-over-C2 behaviors can be investigated.
Analyst notes and limits
The ATT&CK object identifies BACKSPACE as a Windows backdoor used by APT30, with a FireEye APT30 report as the main cited source. The most useful defensive context comes from the mapped technique relationships, which indicate the behaviors defenders should validate across endpoint and network controls. Treat the group relationship as ATT&CK context, not as proof of attribution in any local incident.
Official detection guidance is not provided for this malware object, and the object itself lists no tactics. The take is therefore based on the supplied description, Windows platform field, external references, and ATT&CK relationship context. Local telemetry, baselines, and incident evidence are required before asserting compromise, attribution, impact, or detection coverage.
BACKSPACE
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | During its initial execution, BACKSPACE extracts operating system information from the infected host.CitationFireEye APT30 |
| Enterprise | T1112 | Modify Registry | BACKSPACE is capable of deleting Registry keys, sub-keys, and values on a victim system.CitationFireEye APT30 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1012 | Query Registry | BACKSPACE is capable of enumerating and making modifications to an infected system's Registry.CitationFireEye APT30 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | BACKSPACE uses HTTP as a transport to communicate with its command server.CitationFireEye APT30 |
| Enterprise | T1057 | Process Discovery | BACKSPACE may collect information about running processes.CitationFireEye APT30 |
| Enterprise | T1132.002 | Non-Standard Encoding Sub-technique | Newer variants of BACKSPACE will encode C2 communications with a custom system.CitationFireEye APT30 |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | The "ZJ" variant of BACKSPACE allows "ZJ link" infections with Internet access to relay traffic from "ZJ listen" to a command server.CitationFireEye APT30 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.CitationFireEye APT30 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Adversaries can direct BACKSPACE to upload files to the C2 Server.CitationFireEye APT30 |
| Enterprise | T1083 | File and Directory Discovery | BACKSPACE allows adversaries to search for files.CitationFireEye APT30 |
| Enterprise | T1104 | Multi-Stage Channels | BACKSPACE attempts to avoid detection by checking a first stage command and control server to determine if it should connect to the second stage server, which performs "louder" interactions with the malware.CitationFireEye APT30 |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.CitationFireEye APT30 |
| Enterprise | T1686 | Disable or Modify System Firewall | The "ZR" variant of BACKSPACE will check to see if known host-based firewalls are installed on the infected systems. BACKSPACE will attempt to establish a C2 channel, then will examine open windows to identify a pop-up from the firewall software and will simulate a mouse-click to allow the connection to proceed.CitationFireEye APT30 |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | aa81b2df2b07… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT30
FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024.
Open source URL -
[2]
mitre-attack S0031Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.