analyst@ nohacky:~/threat-actors $
cat/ threat-actors/ apt30
analyst@nohacky:~/apt30.html
active profile
type Nation-State
threat_level Critical
status Active
origin China — state-sponsored
last_updated 2026-03-26
A3
apt30

APT30

also known as: Override Panda Bronze Geneva Bronze Sterling CTG-5326 Raspberry Typhoon RADIUM Naikon (characteristics overlap, not exact match) G0013

One of the longest-running documented espionage operations in history, active since at least 2005 with infrastructure dating to 2004. APT30 is singular in its focus: Southeast Asian political dynamics, ASEAN deliberations, disputed territorial claims, and journalists covering China-sensitive topics. Remarkable not for zero-day sophistication but for an extraordinary decade of operational consistency — the same tools, the same targets, the same mission — and for a unique capability built from day one: the ability to bridge air-gapped networks by infecting removable drives and propagating across physical security boundaries.

attributed origin China (state-sponsored)
suspected sponsor Chinese government — specific unit unconfirmed
infrastructure dating Controller software developed ~2004; ops from 2005
primary motivation Political Intelligence, CCP Legitimacy, Regional Military Intel
primary targets ASEAN governments, military, media, journalists, India
defining capability Air-gap bridging via removable drives — since 2005
mitre att&ck group G0013
target regions SE Asia, India, South Korea, Saudi Arabia — ASEAN-focused
threat level Critical — active, long-dwell, air-gap capable

Overview

When FireEye's Singapore-based labs team examined malware predominantly targeting entities in Southeast Asia and India in April 2015, what they uncovered was not a recently formed group capitalizing on new vulnerabilities. They were looking at a decade of continuous, disciplined state-sponsored espionage — an operation that had been running since at least 2005 with controller software that appears to have been developed as early as 2004. FireEye designated the group APT30 in their landmark report "APT30 and the Mechanics of a Long-Running Cyber Espionage Operation," which remains the foundational public documentation of this actor. Other vendor designations: Override Panda (CrowdStrike), Bronze Geneva / Bronze Sterling / CTG-5326 (SecureWorks), and Raspberry Typhoon / RADIUM (Microsoft). The Microsoft MSTIC public naming map lists APT30 as an "Other name" for Raspberry Typhoon — though MITRE ATT&CK maintains a separate entry for Lotus Blossom (G0030, also tagged Raspberry Typhoon/RADIUM by Microsoft), generating a source of confusion in community reporting. Per MITRE, APT30 (G0013) and Lotus Blossom (G0030) are distinct tracked groups; some community sources, including Malpedia and Cyble, collapse them.

What distinguishes APT30 from virtually every other documented Chinese APT group is not technical sophistication in the conventional sense — the group does not rely on zero-day exploits, and its individual malware components are not more advanced than those used by peer groups. What distinguishes APT30 is its operational longevity and mission consistency. For more than a decade, the group pursued the same targets using the same core toolset, refining and evolving its malware through a structured, versioned development process rather than replacing tools. The BACKSPACE backdoor family dates to at least 2005 and was still in use at the time of the 2015 report. The group's controller software — a full-featured GUI application called the "NetEagle Remote Control System" — indicates a professional, organized development environment with built-in version management, target prioritization, shift-work indicators, and automated update distribution.

APT30's mission is narrow and geopolitically coherent: the group focuses on acquiring sensitive intelligence about Southeast Asian political dynamics, ASEAN deliberations and summit outcomes, territorial disputes in the South China Sea, India-China military relations, and information about journalists and media organizations covering topics of relevance to China's government and the Communist Party's legitimacy. FireEye assessed that APT30 does not appear to be motivated by financial gain or the theft of commercially valuable intellectual property in the conventional sense. The stolen data — government documents, diplomatic correspondence, military assessments, journalistic source networks — serves the information requirements of a state that needs to understand, anticipate, and in some cases suppress political developments across its region.

A feature built into APT30's toolkit from the very beginning of documented operations in 2005 — earlier than many other APT campaigns — is the capability to cross air-gapped networks. The SHIPSHAPE, SPACESHIP, and FLASHFLOOD tools form a relay system that infects removable drives attached to internet-connected machines, carries malware into air-gapped environments when those drives are physically moved to isolated systems, collects files and data from the air-gapped host, and stages the collected data for exfiltration when the drive is reinserted into an internet-connected machine. This architecture reflects a deliberate intelligence assessment: the most sensitive government and military systems are not connected to the internet, and reaching them requires crossing the physical security boundary through the one vector that does — a USB drive carried by a human.

attribution note

Attribution to the Chinese government is assessed with high confidence based on the group's consistent targeting alignment with Chinese state interests, Chinese-language artifacts in malware metadata and controller GUI strings (网络神鹰远程控制系统), and the decade-long operational pattern. Kaspersky has noted characteristics shared between APT30 and Naikon (G0019); MITRE notes these two groups do not appear to be exact matches. Microsoft's MSTIC naming map lists APT30 as an "Other name" under Raspberry Typhoon — the same designation used for Lotus Blossom (G0030) — creating a three-way conflation in some community sources. MITRE ATT&CK maintains APT30 (G0013) and Lotus Blossom (G0030) as separate tracked clusters with distinct tool sets and operational histories; this profile follows the MITRE taxonomy. No specific PLA unit or MSS bureau has been publicly identified for APT30. No DOJ indictment has been filed against APT30 members.

Target Profile

APT30's targeting is among the most geographically and thematically concentrated of any documented Chinese APT. Where groups like APT1 swept broadly across industrial sectors and APT18 focused on healthcare IP, APT30 has a single intelligence mandate: Southeast Asia and India, with attention to whatever threatens the stability, legitimacy, or strategic position of the Chinese state in its immediate region.

  • ASEAN Member State Governments: The Association of Southeast Asian Nations and its ten member states — Vietnam, Thailand, Malaysia, Indonesia, Philippines, Singapore, Myanmar, Cambodia, Laos, and Brunei — are the central targeting focus. APT30 deployed ASEAN-themed infrastructure and customized tooling around specific ASEAN summits, with customized malware deployed in the weeks before the January and April 2013 summits. Summit outcomes, diplomatic positions, and member state negotiations on South China Sea issues are the primary intelligence targets.
  • India: A consistent secondary focus, reflecting ongoing India-China territorial disputes and military competition. FireEye documented specific spear-phishing lures referencing Indian aircraft carrier programs and oceanographic monitoring processes, indicating a specific interest in Indian naval activity and maritime capability in disputed waters. Indian aerospace companies and telecommunications firms are documented victims.
  • South China Sea Claimants: Vietnam, Malaysia, and the Philippines — all involved in overlapping territorial disputes with China in the South China Sea — receive particular attention. Intelligence collection on military deployments, diplomatic positions, and alliance coordination between these states and the United States is consistent with the group's documented lure content.
  • Journalists and Media Organizations: APT30 explicitly targets media organizations and journalists who cover Southeast Asian affairs, China-related topics, and stories that could embarrass or undermine the CCP's domestic or international legitimacy. The group's lures impersonating media topics and its documented interest in journalistic source networks indicate a combined collection and counter-journalism mandate.
  • Regional Government Ministries: Finance ministries, foreign affairs ministries, defense ministries, and intelligence agencies across ASEAN are targeted for policy documents, diplomatic cables, military assessments, and strategic planning materials that illuminate government decision-making on topics of interest to China.
  • Think Tanks and Political Analysts: Organizations and individuals analyzing Southeast Asian politics, China's regional influence, and ASEAN affairs are targeted to identify the intellectual and analytical community shaping policy positions that China seeks to understand and anticipate.
  • Saudi Arabia and South Korea: Documented secondary targets beyond the core Southeast Asian focus, suggesting APT30's intelligence mandate extends to other regions of strategic interest to the Chinese state, particularly on energy and alliance relationships.

Tactics, Techniques & Procedures

APT30's TTPs are defined less by technical novelty and more by disciplined consistency and organizational sophistication. The group uses a professional, well-maintained controller application with GUI-based target management, shift-work indicators, and automated update distribution. No zero-days have been observed. The group succeeds because its targets are not well-defended — and because ten years of refinement applied to a stable, known-to-work toolkit is more operationally reliable than constantly introducing new, untested tools.

mitre id technique description
T1566.001 Spear-Phishing Attachment Primary initial access method. Malicious DOC attachments containing APT30's backdoor families (BACKSPACE, NETEAGLE) are delivered via spear-phishing campaigns. Lures are consistently topical to the target's work — regional security issues, ASEAN summit agendas, India-China military relations, South China Sea territorial disputes, and media topics relevant to journalists. FireEye explicitly noted that lures are crafted to reflect the specific professional interests of recipients, not generic phishing themes.
T1091 Replication Through Removable Media SHIPSHAPE infects removable drives attached to compromised internet-connected machines, hiding original files on the drive and replacing visible items with SPACESHIP executable copies named after the original files. When a victim inserts the infected drive into an air-gapped machine and opens what appears to be a legitimate document, SPACESHIP executes, infecting the isolated system. This is APT30's mechanism for crossing air-gaps — built in since 2005.
T1025 Data from Removable Media SPACESHIP and FLASHFLOOD collect files from air-gapped hosts based on specified file extensions, staging the collected data to a hidden directory on the removable drive. When the drive is reinserted into an internet-connected machine infected with SHIPSHAPE, FLASHFLOOD retrieves the staged data and passes it to the BACKSPACE controller for exfiltration. The round-trip collection cycle is: infect drive → human carries drive to air-gapped machine → SPACESHIP/FLASHFLOOD collects data → human carries drive back → data exfiltrated.
T1071.001 Web Protocols — Two-Stage C2 BACKSPACE and NETEAGLE use a two-stage C2 architecture to balance stealth with scalability. Stage one is automated: victim hosts contact an initial C2 domain via HTTP to receive configuration and determine whether to connect to stage two. Stage two involves interactive operator control via the BACKSPACE controller GUI. This staging means operators are not directly interacting with every infected host continuously — they review prioritized hosts and escalate to active control selectively, reducing the chance of detection through anomalous C2 traffic patterns.
T1547.001 Registry Run Keys / Startup Folder BACKSPACE achieves persistence via multiple documented methods depending on variant: shortcut (.lnk) files placed in the Windows Startup folder, service DLL installation, and Registry Run keys. SHIPSHAPE achieves persistence on infected removable drives via a shortcut in the drive's Startup path. The use of multiple persistence mechanisms across variants reflects the group's modular development approach and testing of different persistence strategies against evolving endpoint defenses.
T1568.001 Dynamic DNS Resolution APT30 frequently registers its own DNS domains for C2 activities and has reused infrastructure over multi-year periods. Some domains have appeared in malware samples across many years of continuous operation. The BACKSPACE controller-backdoor communication uses HTTP requests with a file named "dizhi.gif" in the URL path — a recognizable C2 traffic pattern that serves as a behavioral indicator across campaign generations.
T1083 File and Directory Discovery BACKSPACE, SPACESHIP, and FLASHFLOOD all include file enumeration capability. SPACESHIP collects specific file extensions from air-gapped machines; FLASHFLOOD has similar enumeration and collection logic. The BACKSPACE controller includes an "Automatically Execute Custom Task" command that retrieves data from predefined paths on victim hosts used as staging locations by both BACKSPACE and the air-gap tools, linking the networked and physical collection infrastructure.
T1027 Obfuscated Files or Information APT30 malware uses consistent mutex and event naming conventions (e.g., containing "Microsoft" or "ZJ") across tools to manage execution and prevent duplicate instances. Malware is implemented with embedded version information, enabling automatic self-updates from C2 infrastructure. The disk serial number authentication in some BACKSPACE variants ties specific backdoor instances to specific victim hosts, limiting the utility of captured samples for analysis in non-original environments.

Known Campaigns

APT30's "campaigns" are better understood as a single continuous, decade-long intelligence collection operation with periodic intensifications around geopolitically significant events — particularly ASEAN summits. The group's infrastructure reuse over many years means that individual campaigns are difficult to cleanly separate; they represent waves within an unbroken operational tide.

Founding Operations — Initial Toolkit Deployment 2004 – 2008

APT30's controller software — the "NetEagle Remote Control System" — appears to have been developed as early as 2004. The earliest BACKSPACE backdoor variants date to at least 2005. NETEAGLE samples were compiled as early as 2008. The SHIPSHAPE, SPACESHIP, and FLASHFLOOD air-gap toolkit was designed from the beginning of documented operations — 2005 — making APT30 one of the earliest documented APT groups to build deliberate air-gap crossing capability into their initial toolkit. This is not a capability added reactively when network access proved insufficient; it was a founding architectural feature, indicating an intelligence assessment from the outset that the most valuable targets would be physically isolated from the internet.

Sustained Southeast Asia and India Collection 2005 – 2015 (ongoing)

The decade-long continuous operation documented in FireEye's 2015 report. APT30 targeted national governments, companies across ten industries, and media organizations across the Southeast Asia region and India using the same core toolkit, refreshed through a professional versioned development cycle. Confirmed victims included an Indian aerospace company, an Indian telecommunications firm, and government entities across ASEAN member states. Spear-phishing lures referenced Indian aircraft carrier programs, oceanographic monitoring, India-China military flashpoints in contested border regions, and ongoing South China Sea territorial disputes. The group maintained C2 infrastructure using self-registered DNS domains, with some domains in use for multiple years across overlapping campaign periods.

ASEAN Summit Operations — Targeted Intensification 2013

The clearest documented evidence of APT30's tight coordination with China's diplomatic calendar. In the weeks before the January 2013 and April 2013 ASEAN summits, APT30 deployed customized malware variants and conducted targeted phishing campaigns aimed at ASEAN member state government employees and regional political stakeholders. ASEAN-themed domains and infrastructure were registered specifically for these operations. The group also exploited a major political transition — likely a leadership change in a key ASEAN member state — as phishing lure content in a campaign targeting senior political stakeholders during the transition period. The operational tempo and timing provide strong circumstantial evidence of active intelligence tasking requirements tied to China's diplomatic agenda.

Journalist and Media Targeting 2009 – ongoing

A consistent sub-component of APT30's operations, documented across multiple years in FireEye's analysis. The group specifically targets journalists who cover Southeast Asian affairs and topics related to China's government and the Communist Party's legitimacy. Phishing lures impersonate media topics, press releases, and journalistic content relevant to the targets' beats. The intelligence objective is not merely to monitor reporting — it includes identifying confidential sources and understanding what information journalists hold before publication, consistent with the CCP's documented interest in managing both foreign and domestic press coverage of China-sensitive topics.

Post-Exposure Continuity — New Variants (2019+) 2019 – ongoing

Kaspersky and Positive Technologies (two separate security firms) independently documented new APT30 activity in 2019 targeting Malaysia, with a dropper file named "AGENDA.scr" deploying updated NETEAGLE variants. The updated NETEAGLE replaced the internal string "NetEagle" (which had been a detection indicator since the 2015 FireEye report) with "JokerPlay" — a direct response to public exposure. Two additional BACKSPACE variants and new tools (RHttpCtrl, RCtrl) were also identified, suggesting active development of new capabilities alongside the continued refinement of legacy tools. The continued use of known infrastructure — including domains overlapping with the 2015 FireEye disclosures — indicates that even partial infrastructure reuse was deemed operationally acceptable four years after public exposure.

Tools & Malware

APT30's toolkit is unified by a coherent, professional development philosophy: version-controlled, modularly designed, with consistent mutex naming conventions, built-in update mechanisms, and disk serial number authentication in some variants to bind specific instances to specific victims. The tools are not individually more sophisticated than those used by other Chinese APT groups, but they are maintained with the discipline of a software engineering team rather than a one-off hack. FireEye's characterization of the development framework as "coherent" and "sustained" is the key insight — this is product development, not improvisation.

  • BACKSPACE (Lecna): APT30's primary backdoor, in continuous development since at least 2005. Two main code branches documented: "ZJ" and "ZR," each compiled with slightly different command sets. Implemented as a standalone EXE, as a DLL, or as an EXE that extracts and launches a DLL at runtime. Persistence via Startup folder shortcuts, service DLL installation, or Registry Run keys depending on variant. Communicates with C2 via HTTP, including the distinctive "dizhi.gif" URL pattern. Supports file upload and download, remote command execution, process management, and registry manipulation. Built-in version check allows the backdoor to update itself to the latest version from C2 infrastructure automatically. The BACKSPACE controller GUI is a full-featured Windows application that tracks victim hostname, internal and external IP addresses, system uptime, OS version, and language — with menus for System, Network, File, Remote, and Attack operations. The controller includes a login prompt for the current "attendant," indicating shift-based operation.
  • NETEAGLE (NetEagle Remote Control System): A second, complementary backdoor with samples compiled from 2008 to 2013. Two main versions: "Scout" (older) and "Norton" (newer). Different programming language and command set from BACKSPACE but shares high-level design similarities including C2 update features and two-stage C2 architecture. The "Norton" variant is named to resemble legitimate Norton security software. Supports loading DLL plugin components for extensibility. Internal strings updated post-2015 (NetEagle → JokerPlay) to evade published detection signatures.
  • SHIPSHAPE: The first component of APT30's air-gap bridging chain. Runs on internet-connected machines with access to removable drives. Detects inserted removable drives, hides original files and folders on the drive by setting the hidden attribute, plants SPACESHIP executables on the drive named after the original hidden files — ensuring victims see apparently legitimate documents and open them, triggering SPACESHIP execution on air-gapped hosts. Persistence on the infected drive established via a shortcut in the drive's Startup folder.
  • SPACESHIP: The payload deployed to air-gapped hosts via infected removable drives. When a victim on an air-gapped machine opens what appears to be a legitimate document (but is actually a SPACESHIP executable), SPACESHIP installs itself and begins collecting files based on a specified set of file extensions, staging the collected data to a hidden directory on the drive for later exfiltration. Uses consistent mutex naming (MicrosoftShipTrZJ) and encoding schemes shared with other APT30 tools.
  • FLASHFLOOD: The exfiltration component of the air-gap chain, running on internet-connected machines. When a removable drive previously processed by SPACESHIP on an air-gapped host is reinserted into an internet-connected machine, FLASHFLOOD retrieves the staged data from the drive's hidden directory and passes it to the BACKSPACE controller for exfiltration over the internet. FLASHFLOOD also has system information collection capability independent of the air-gap chain.
  • MILKMAID / ORANGEADE: Dropper tools used to deploy APT30's primary backdoors onto target systems after initial phishing exploitation. Used as the initial-stage payload from phishing documents to download and execute BACKSPACE or NETEAGLE.
  • CREAMSICLE / BACKBEND / GEMCUTTER: Downloader tools used to pull additional payloads or updated backdoor versions from C2 infrastructure. Part of the broader supporting toolkit that manages the deployment lifecycle of APT30's primary tools.

Indicators of Compromise

The following IOCs are drawn from FireEye's April 2015 APT30 report, Kaspersky's 2019 follow-on analysis, and Positive Technologies' 2019 research. APT30 has modified some internal strings in response to public exposure (NetEagle → JokerPlay) but has demonstrated continued reuse of some long-standing infrastructure.

warning

APT30 has shown both infrastructure reuse (some domains used for years post-disclosure) and targeted evasion of specific published signatures (renaming NETEAGLE internal strings). Behavioral indicators and mutex patterns are more reliable than domain or hash blocklists for this group. Full IOC lists from the original FireEye report are available at the GitHub link in Sources.

behavioral and technical indicators
url pattern HTTP C2 requests containing "dizhi.gif" in the URL path — BACKSPACE stage-one C2 beacon indicator
mutex MicrosoftZj / MicrosoftExit / MicrosoftHaveAck — BACKSPACE ZJ branch execution control mutexes
mutex MicrosoftShipZJ / MicrosoftShipExit — SHIPSHAPE execution control mutexes
mutex MicrosoftShipTrZJ / MicrosoftShipTrExit — SPACESHIP execution control mutexes
mutex MicrosoftFlashZJ / MicrosoftFlashExit — FLASHFLOOD execution control mutexes
string NetEagle (pre-2019 NETEAGLE samples) / JokerPlay (post-2019 renamed variants) — internal NETEAGLE identification strings
string 网络神鹰远程控制系统 ("NetEagle Remote Control System" in simplified Chinese) — controller GUI About dialog string
domain gordeneyes[.]com / kabadefender[.]com (2019 Kaspersky — NETEAGLE C2 domains)
file path %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\WINWORD.EXE — NETEAGLE startup persistence path
behavior Removable drives with hidden original files and executable replacements named after hidden files — SHIPSHAPE infection pattern on USB drives

Mitigation & Defense

APT30 is assessed as active, with post-2019 activity confirmed in Southeast Asian targets. The group's targeting of ASEAN member state governments, India, and regional media makes it a priority threat for organizations in Southeast Asia and South Asia, as well as any Western organization with diplomatic, military, or journalistic engagement in the region. The air-gap crossing capability requires specific defensive consideration that most organizations' standard security stacks do not address.

  • Removable Drive Controls — Air-Gap Defense: APT30's SHIPSHAPE/SPACESHIP/FLASHFLOOD chain relies entirely on humans physically carrying infected drives between systems. The most effective countermeasure is organizational: strictly control which removable drives are permitted in sensitive environments, implement drive scanning at the entry point to any air-gapped network, disable AutoRun and AutoPlay on all Windows endpoints, and use dedicated, purpose-registered USB drives with hardware write-protection for any legitimate data transfers into or out of air-gapped networks. Cryptographic signing of permitted files on authorized drives can detect SPACESHIP's file replacement technique.
  • Spear-Phishing Defense for Regional Topics: APT30's lures are specifically crafted around the target's professional work — ASEAN summit documents, South China Sea policy papers, India-China military topics, and journalism relating to China. Standard phishing awareness training that focuses on generic "too good to be true" lures will not prepare targets for this group's sophisticated, contextually accurate lures. Train high-risk personnel (government officials, defense analysts, journalists covering China) to verify unexpected documents through out-of-band channels before opening, regardless of how relevant the lure content appears.
  • HTTP Traffic Inspection for C2 Patterns: BACKSPACE's distinctive "dizhi.gif" URL pattern in stage-one C2 HTTP requests is a durable behavioral indicator. Implement network monitoring rules that flag HTTP requests to newly-registered or low-reputation domains containing this specific URI pattern. The two-stage C2 architecture means victims communicate with intermediate C2 servers before any interactive operator involvement — the stage-one traffic is more predictable and detectable than the interactive stage-two sessions.
  • Mutex-Based Endpoint Detection: APT30's consistent mutex naming conventions — particularly the "MicrosoftZj," "MicrosoftShip," "MicrosoftShipTr," and "MicrosoftFlash" prefix patterns — are durable behavioral signatures that survive tool rotation as long as the underlying code architecture is maintained. EDR rules detecting mutex creation matching these patterns should be deployed and maintained even as specific file hashes and domains change.
  • DNS Domain Monitoring: APT30 registers its own C2 domains and has reused some infrastructure for years. Implement continuous monitoring of DNS resolutions from endpoints to newly registered or newly-resolved domains, particularly those with ASEAN, Southeast Asian, or China-adjacent naming themes. The group's reuse of some long-standing domains means historical domain blocklists have non-zero value — but should be supplemented with behavioral detection for new infrastructure.
  • Journalist and Media Organization Security: APT30 specifically targets journalists covering China and Southeast Asia. Media organizations should implement security measures commensurate with the nation-state threat they face: encrypted communications for sensitive correspondence, source protection training that accounts for the possibility of inbox compromise, and endpoint monitoring that would detect BACKSPACE's startup persistence mechanisms and C2 communication patterns.
  • Long-Dwell Detection: APT30's decade of continuous operations demonstrates a willingness to maintain access and wait for relevant intelligence opportunities rather than execute noisy bulk exfiltration. Standard detection approaches focused on high-volume or high-velocity indicators will miss an actor that may sit dormant for weeks or months waiting for the right document or summit preparation material. Implement anomaly-based detection that baselines normal endpoint behavior over long time windows and flags low-frequency but anomalous events like new service installations, unusual startup entries, or rare outbound HTTP connections.
analyst note

APT30's defining lesson for defenders is that operational consistency and mission clarity matter more than technical sophistication. For more than ten years, this group ran the same operation with the same tools, succeeding against well-resourced government targets not because it was technically undetectable, but because its targets lacked the detection capability to find it. The 2015 FireEye disclosure did not end APT30's operations — it prompted tool evolution (internal string renaming, new backend tools) and a brief operational pause, after which the group continued. The 2019 Kaspersky/Positive Technologies reporting confirms continuation at least four years after exposure. Organizations with any exposure to Southeast Asian geopolitics, ASEAN affairs, India-China issues, or China-related journalism should treat APT30 as an active and patient threat whose absence from detection logs is not evidence of absence from the network.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile