S0036: FLASHFLOOD
FLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. [1]
Analyst context for executives and security teams
FLASHFLOOD matters because it represents malware designed for Windows environments where removable media can become both a propagation path and a data-exfiltration path. The key business issue is not only endpoint infection; it is whether sensitive data can move through USB or similar media, including across segmented or air-gapped workflows where normal network monitoring may not see the activity.
Executive priority
Prioritize this behavior where removable media is permitted, required for operations, or used to bridge isolated networks. Leaders should ask whether the organization can prove who used removable media, what data moved, whether Windows persistence locations are monitored, and how incident responders would investigate data movement that never crossed a network sensor. This is relevant to operational resilience, audit evidence, data-loss governance, and cyber-physical environments that rely on air-gapped or semi-isolated systems.
Technical view
ATT&CK lists FLASHFLOOD as Windows malware developed by APT30, with relationships to collection, discovery, local staging, custom archiving, removable-media collection, and Registry Run Keys/Startup Folder persistence. SOC and IR teams should validate coverage around removable-device activity, file and directory enumeration, local collection/staging behavior, archive-like file creation using nonstandard methods, and Windows autorun persistence locations. Because MITRE provides no official detection text for this object, detections should be built from the related techniques and tested against local removable-media workflows.
Likely telemetry
- Windows endpoint process, file, and registry telemetry
- Removable media insertion, mount, serial/device identifier, and user association logs
- File read/write/copy activity involving removable drives
- File and directory enumeration activity on local systems and removable media
- Creation or modification of local staging directories and bundled or archive-like files
Detection direction
- Baseline legitimate removable-media use by role, host group, and operational workflow before alerting aggressively.
- Correlate removable media insertion with unusual file enumeration, bulk file access, local staging, or archive-like output.
- Monitor Windows Run Keys and Startup Folder changes, especially when tied to binaries or scripts located in user-writable paths or removable media paths.
- Look for data movement patterns that bypass network exfiltration controls, since removable-media exfiltration may leave little or no network evidence.
- Treat false positives carefully in environments where USB media is operationally required; detections should distinguish approved maintenance or transfer workflows from unexpected collection and staging behavior.
Mitigation priorities
- Inventory where removable media is allowed, required, or prohibited, with special attention to isolated and air-gapped workflows.
- Apply removable-media governance: approval, logging, scanning, and least-privilege access to sensitive systems and data stores.
- Harden and monitor Windows persistence locations such as Registry Run Keys and Startup Folders.
- Limit unnecessary access to sensitive local files and directories so collection from compromised hosts has less value.
- Establish IR procedures for removable-media investigations, including device identification, host timeline review, and data-staging analysis.
Analyst notes and limits
The strongest decision value is around removable-media risk management and evidence collection. FLASHFLOOD is associated through ATT&CK with APT30 and techniques covering discovery, collection, staging, custom archiving, and Windows persistence. This should inform control validation rather than assumptions about current targeting or exposure.
MITRE provides no official detection text, no aliases, and no explicit tactics on the malware object itself. The assessment is limited to the supplied ATT&CK description, external reference, and relationships; local telemetry, removable-media policy, and endpoint visibility are required to determine actual risk and coverage.
FLASHFLOOD
FLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1005 | Data from Local System | FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system. FLASHFLOOD will scan the My Recent Documents, Desktop, Temporary Internet Files, and TEMP directories. FLASHFLOOD also collects information stored in the Windows Address Book.CitationFireEye APT30 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | FLASHFLOOD achieves persistence by making an entry in the Registry's Run key.CitationFireEye APT30 |
| Enterprise | T1083 | File and Directory Discovery | FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system and removable media.CitationFireEye APT30 |
| Enterprise | T1025 | Data from Removable Media | FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on removable media and copies them to a staging area. The default file types copied would include data copied to the drive by SPACESHIP.CitationFireEye APT30 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | FLASHFLOOD stages data it copies from the local system or removable drives in the "%WINDIR%\$NtUninstallKB885884$\" directory.CitationFireEye APT30 |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | FLASHFLOOD employs the same encoding scheme as SPACESHIP for data it stages. Data is compressed with zlib, and bytes are rotated four times before being XOR'ed with 0x23.CitationFireEye APT30 |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 133309f65b72… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT30
FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024.
Open source URL -
[2]
mitre-attack S0036Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.