>samit_hota
Back to adversary profiles
G0013HighActive

APT30: Persistent Chinese Cyber Espionage in Southeast Asia and Beyond

Samit Hota·
Suspected Origin
China
Motivation
Espionage, Strategic Intelligence Gathering, Political Gain
Aliases
None documented
Target Sectors
Government, Defense, Aerospace, Telecommunications, Education, Technology, Media, Energy & Utilities
Associated Malware
Backspace, NetEagle, ShipShape, SpaceShip, FlashFlood, ARL, Creamsicle, Gemcutter, Backbend, Milkmaid, Orangeade
#threat-actor#g0013

Overview

APT30, identified by MITRE as G0013, is a highly persistent and state-sponsored advanced persistent threat group with strong ties to the Chinese government. Known for its sophisticated and sustained cyber espionage campaigns, APT30 has been actively operating since at least 2005, demonstrating remarkable consistency in its tools, tactics, and infrastructure over more than a decade. This group’s primary objective is cyber espionage, focusing on acquiring strategic intelligence to support China’s geopolitical and military ambitions, particularly within the contested South China Sea and broader ASEAN region. Unlike groups motivated by financial gain, APT30 specifically targets sensitive data and documents for political purposes, avoiding the collection of monetizable information such as credit card data or personally identifiable information.

Their operations primarily span the Asia-Pacific region, with a pronounced focus on Southeast Asia and India, although their reach extends to the United States. APT30’s target selection is strategic, encompassing government bodies, law enforcement agencies, and commercial entities that possess critical political, economic, and military information relevant to the region. Key sectors of interest include aerospace and defense, telecommunications, geospatial imaging, education, technology, media, and energy and utilities. The group also shows a distinct interest in organizations and governments associated with ASEAN, often increasing activity around official ASEAN meetings.

Tactics & Techniques

APT30’s operational methodology reflects a well-organized and professional approach, often employing skilled software developers who adhere to coherent development plans and work in shifts.

Initial access is most commonly achieved through highly targeted spear-phishing campaigns. These attacks often leverage meticulously crafted malicious document attachments, frequently Microsoft Word files, designed to entice recipients into enabling macros or interacting with embedded content that executes malware. The decoy documents are carefully tailored to resonate with the target’s professional interests, often featuring themes related to regional security, political issues, border disputes, or diplomatic matters concerning Southeast Asia and India.

Once a foothold is established, APT30 utilizes various execution techniques, including PowerShell commands, scheduled tasks (via schtasks.exe), and Windows Management Instrumentation (WMI) to deploy payloads and move stealthily within compromised systems. They have also exploited vulnerabilities such as CVE-2012-0158 for initial compromise.

For persistence, the group modifies registry run keys and abuses DLL search order hijacking. The malware used by APT30 also features continuous automatic updating capabilities, allowing them to maintain long-term access and adapt to changing security landscapes.

Defense evasion is a hallmark of APT30. They frequently masquerade malicious processes by renaming them to mimic legitimate applications like Task Manager, Google Chrome, Adobe software, or VMware executables, making detection challenging for security tools and analysts. The group employs a two-stage command and control (C2) architecture, adding a layer of obfuscation between the attackers and their victims and balancing stealth with scalability. APT30 frequently registers its own DNS domains for C2 activities, some of which have remained active for years.

Lateral movement and discovery are executed through extensive reconnaissance within compromised networks. APT30 operators run commands like “netsh interface show” to examine network configurations, use NetBIOS scanning to identify remote systems, and probe firewall and security settings to understand network defenses. They also exploit domain accounts to secure elevated access. A notable capability is their use of specialized tools designed to infect removable drives, enabling them to bridge air-gapped networks and exfiltrate data from isolated systems. Data exfiltration is often conducted over unencrypted channels like FTP.

Notable Campaigns

APT30 is characterized by its long-running nature rather than distinct, short-term campaigns. Their sustained activity since 2005, with consistent tools and infrastructure, is a significant aspect of their profile. FireEye notably documented their decade-long cyber espionage campaign targeting governments, journalists, and businesses in Southeast Asia and India.

The group has been observed deploying customized malware around ASEAN summits, for instance, in January and April 2013, indicating a keen interest in regional political developments. They have also leveraged major political transitions as themes for their phishing lures. Specific decoy subjects have included topics related to India-China military relations and contested regions, further highlighting their geopolitical motivations. APT30 has shown a particular interest in targeting journalists who report on issues sensitive to the Chinese Communist Party’s legitimacy, such as corruption, the economy, and human rights, likely to gain insight and preemptively shape public messaging.

Associated Malware & Tools

APT30 relies on a suite of custom malware families and tools, which have been consistently maintained and updated over their long operational history.

Their primary backdoors include:

  • Backspace: Identified in ZJ and ZR variants, also known as “Lecna,” this backdoor provides remote control capabilities and has been in use since at least 2005.
  • NetEagle: Available in “Scout” and “Norton” versions, functioning as another primary backdoor.

To facilitate initial compromise and maintain access, APT30 uses various downloaders and droppers:

  • Creamsicle
  • Gemcutter
  • Backbend
  • Milkmaid and Orangeade (droppers)

A distinguishing feature of APT30’s toolkit is its set of specialized tools designed for air-gapped network compromise and data exfiltration:

  • ShipShape
  • SpaceShip
  • FlashFlood These tools are specifically engineered to infect removable drives, allowing malware to traverse isolated networks and extract sensitive data. Additionally, APT30 uses a reconnaissance tool named ARL.

Current Status

APT30 remains an active threat group. Recent analysis from August 2025 indicates that the group continues its cyber espionage campaigns, focusing on sectors vital to national security and technological advantage. Their long operational history, coupled with their ability to effectively maintain and update their toolset and infrastructure, underscores their enduring capability and commitment to their objectives. Organizations in Southeast Asia, India, and other regions of interest should maintain a high level of vigilance against APT30’s persistent and well-resourced operations.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call