APT30

Threat Actor Profile Updated 3 months ago

Download STIX

Preview STIX

APT30, a threat actor suspected to be attributed to China, has been active since at least 2005. This group primarily targets members of the Association of Southeast Asian Nations (ASEAN). APT30 is notable for its sustained activity over an extended period and its ability to adapt and modify source code to maintain consistent tools, tactics, and infrastructure. They frequently register their own DNS domains for malware Command and Control (CnC) activities. The associated malware includes SHIPSHAPE, SPACESHIP, and FLASHFLOOD, with attack vectors including downloaders, backdoors, a central controller, and components designed to infect removable drives and cross air-gapped networks to steal data. The Naikon APT group, which aligns with APT30 as per FireEye's revelations, was spear-phished by another actor known as "Hellsing." However, no exact matches have been discovered between these two groups yet. The EU Cybersecurity Agency (ENISA) and the Computer Emergency Response Team for the EU institutions, bodies, and agencies (CERT-EU) have issued advisories on Advanced Persistent Threats (APTs), including APT30, highlighting the ongoing threat posed by such actors. Several Chinese hacking groups, including APT27, APT30, APT31, Ke3chang, GALLIUM, and Mustang Panda, have been identified in joint reports focusing on cyber activities. These groups are known for their malicious activities, further emphasizing the persistent cybersecurity threats originating from China. Despite the varying tactics and targets, these groups collectively underscore the need for robust cybersecurity defenses and constant vigilance against potential threats.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Chinese

China

Malware

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Ke3chang	Unspecified	2	Ke3chang, also known as APT15, Mirage, Vixen Panda GREF, and Playful Dragon, is a prominent threat actor that has been active since at least 2010. According to the European Union Agency for Cybersecurity (ENISA), this group has consistently targeted energy, government, and military sectors. Ke3chang
GALLIUM	Unspecified	2	Gallium, also known as Alloy Taurus, is a China-aligned threat actor known for executing actions with malicious intent in the cyber domain. In recent years, Gallium has been associated with various significant cyber-espionage campaigns. The group targeted telecommunication entities in the Middle Eas
APT27	Unspecified	2	APT27, also known as Iron Taurus, is a Chinese threat actor group that primarily engages in cyber operations with the goal of intellectual property theft. The group targets multiple organizations worldwide, including those in North and South America, Europe, and the Middle East. APT27 utilizes vario
Mustang Panda	Unspecified	2	Mustang Panda, also known as Bronze President, Nomad Panda, Naikon, Earth Preta, and Stately Taurus, is a Chinese-aligned threat actor that has been associated with widespread attacks against various countries in the Asia-Pacific region. The group's malicious activities were first traced back to Mar
APT31	Unspecified	2	APT31, also known as Zirconium, is a threat actor group believed to be sponsored by the Chinese government. This group has been implicated in various cyber espionage activities across the globe. One of their notable exploits includes the cloning and use of an Equation Group exploit, EpMe (CVE-2017-0
Naikon	Unspecified	1	Naikon is a threat actor, or group, known for its execution of actions with malicious intent. It is associated with various Advanced Persistent Threat (APT) groups originating from China, such as Growing Taurus and Parched Taurus, also known as Goblin Panda. Naikon has been linked to PLA Unit 78020/

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the APT30 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
MITRE	a year ago	The Naikon APT
MITRE	a year ago	Advanced Persistent Threats (APTs) \| Threat Actors & Groups
CERT-EU	a year ago	EU Organizations Warned of Chinese APT Attacks
Securityaffairs	a year ago	ENISA and CERT-EU warns Chinese APTs targeting EU organizations