APT30

APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[1][2]

ID: G0013
Version: 1.1
Created: 31 May 2017
Last Modified: 29 July 2020

Techniques Used

Domain ID Name Use
Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT30 has used spearphishing emails with malicious DOC attachments.[1]

Enterprise T1204 .002 User Execution: Malicious File

APT30 has relied on users to execute malicious file attachments delivered via spearphishing emails.[1]

Software

ID Name References Techniques
S0031 BACKSPACE [1] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Non-Standard Encoding, Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses: Disable or Modify System Firewall, Modify Registry, Multi-Stage Channels, Process Discovery, Proxy: Internal Proxy, Query Registry, System Information Discovery
S0036 FLASHFLOOD [1] Archive Collected Data: Archive via Custom Method, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Data from Local System, Data from Removable Media, Data Staged: Local Data Staging, File and Directory Discovery
S0034 NETEAGLE [1] Application Layer Protocol: Web Protocols, Application Layer Protocol, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Dynamic Resolution, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Fallback Channels, File and Directory Discovery, Non-Application Layer Protocol, Process Discovery
S0028 SHIPSHAPE [1] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Replication Through Removable Media
S0035 SPACESHIP [1] Archive Collected Data: Archive via Custom Method, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Data Staged: Local Data Staging, Exfiltration Over Physical Medium: Exfiltration over USB, File and Directory Discovery

References