S0035: SPACESHIP
Analyst context for executives and security teams
SPACESHIP matters because it represents malware behavior designed for environments where removable media can bridge disconnected Windows systems. The supplied ATT&CK context links it to propagation and data exfiltration over removable devices, including potential movement across air-gaps. For leaders, the key issue is not only malware detection; it is whether the organization can prove control over USB use, local data staging, persistence, and evidence collection on systems that may be less connected to central monitoring.
Executive priority
Prioritize this as a removable-media and air-gap governance risk. Ask whether high-value Windows environments allow USB storage, whether exceptions are documented, whether removable-media activity is logged, and whether incident responders can reconstruct file movement when systems are isolated or intermittently connected. This is especially relevant for business continuity, compliance evidence, sensitive-data handling, and cyber-physical or operational environments where air-gaps are used as a risk control.
Technical view
ATT&CK does not provide a detection section for SPACESHIP, so validation should be built from the related behaviors: Exfiltration over USB, Local Data Staging, File and Directory Discovery, Registry Run Keys or Startup Folder persistence, Shortcut Modification, and Archive via Custom Method. SOC and IR teams should confirm Windows telemetry can show removable-device insertion, file copy activity to and from removable media, suspicious local staging directories, unusual archive or encrypted file creation, startup-folder and Run key changes, and shortcut modifications. Because the object’s tactics are not specified directly, detection engineering should map coverage through the related techniques rather than relying on the malware name alone.
Likely telemetry
- Windows endpoint detection and response events for process execution, file creation, file modification, and persistence changes
- USB/removable storage insertion and mount history
- File copy activity involving removable drives and sensitive directories
- Registry Run key monitoring and Startup folder file creation events
- Shortcut file creation or modification events, especially in startup locations
Detection direction
- Validate removable-media monitoring before assuming an air-gap is observable; disconnected systems may not forward events in real time.
- Tune for combinations of behaviors: discovery of files, staging, archive creation, persistence changes, and subsequent removable-drive writes.
- Review false positives from legitimate backup, software deployment, engineering transfer, and administrative USB workflows.
- Baseline approved removable-media use and investigate deviations by device, user, host, file type, and destination path.
- Hunt for persistence through Run keys, Startup folders, and modified shortcuts on Windows systems that handle sensitive or isolated data.
Mitigation priorities
- Establish policy and technical controls for removable storage, with documented exceptions for operational needs.
- Limit USB storage use on sensitive Windows systems and monitor all approved transfer workflows.
- Harden Windows persistence locations by monitoring and controlling Registry Run keys, Startup folders, and shortcut changes.
- Protect sensitive data locations with access controls and logging so staging and bulk copying are easier to detect.
- Ensure isolated or air-gapped environments have an evidence collection and incident response process, even when continuous telemetry is limited.
Analyst notes and limits
The official object identifies SPACESHIP as APT30-developed malware for removable-device propagation and exfiltration, with possible use across air-gaps. Relationship context supplies the practical behavior map: USB exfiltration, local staging, file and directory discovery, Windows persistence via Run keys/startup locations and shortcuts, and custom archiving. This supports a defensive focus on removable-media governance, Windows endpoint telemetry, and response readiness for disconnected systems.
ATT&CK provides no official detection text for SPACESHIP, no aliases, and no direct tactics on the malware object. The malware platform is Windows, while some related techniques list broader platforms; this take only assumes Windows for SPACESHIP. Local validation is required to determine whether an organization collects the necessary telemetry or permits the relevant removable-media workflows.
SPACESHIP
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1052.001 | Exfiltration over USB Sub-technique | SPACESHIP copies staged data to removable drives when they are inserted into the system.CitationFireEye APT30 |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | Data SPACESHIP copies to the staging area is compressed with zlib. Bytes are rotated by four positions and XOR'ed with 0x23.CitationFireEye APT30 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.CitationFireEye APT30 |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.CitationFireEye APT30 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | SPACESHIP identifies files with certain extensions and copies them to a directory in the user's profile.CitationFireEye APT30 |
| Enterprise | T1083 | File and Directory Discovery | SPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time.CitationFireEye APT30 |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 789af0693d46… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT30
FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024.
Open source URL -
[2]
mitre-attack S0035Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.