Threat Actor Profile: APT 30 

APT 30 is a well-known advanced persistent threat (APT) group closely linked to the Chinese state. Since its emergence, this group has focused on cyber espionage campaigns targeting sectors critical to national security and technological advantage. Their operations stretch primarily across the Asia-Pacific region and extend to the United States, with a particular interest in aerospace, defense, telecommunications, and geospatial imaging. 

APT 30 operates under numerous aliases, including Billbug, Bronze Elgin, Lotus Blossom, Naikon, Raspberry Typhoon, and Spring Dragon, among others. Despite these many identities, these groups share a similar modus operandi: targeting government bodies, educational institutions, and telecom companies to steal sensitive information and maintain long-term access. 

Geographic and Industry Targets 

APT 30’s operations have spanned multiple countries, including India, South Korea, Malaysia, Saudi Arabia, Thailand, the United States, and Vietnam. Their main industries of interest include: 

• Aerospace & Defense 

• Education 

• Energy & Utilities 

• Government and Law Enforcement Agencies 

• Media & Entertainment 

• Technology 

• Telecommunications 

Their targets reveal a strategic goal: gaining strategic intelligence to support China’s geopolitical and military objectives, especially in the contested South China Sea and broader ASEAN region. 

Spearphishing and Malware Families 

APT 30 primarily gains entry through spear-phishing emails, meticulously crafted to trick recipients into opening malicious documents. These decoy documents lure diplomats, journalists, and officials into exposing credentials or downloading malware. Once inside a network, the group uses a variety of custom malware families and tools, such as: 

• ARL (Reconnaissance) 

• Backspace (Backdoor) 

• Creamsicle (Downloader) 

• Gemcutter (Downloader) 

• Milkmaid (Dropper) 

• Shipshape (Worm) 

• … and several others, like Flashflood, BackBend, and BackBend, each tailored for reconnaissance, persistence, and data exfiltration. 

APT 30’s toolkit also includes dropper malware, loaders, backdoors, and exfiltration tools, which allow it to maintain stealthy access and extract valuable data over extended periods. 

Linked Groups with Similar Patterns 

Closely related groups such as Naikon and Spring Dragon (Lotus Blossom) share operational overlaps and target similar sectors. Naikon, for example, has been active in Southeast Asia, focusing on governmental and telecom entities.  

It employs advanced techniques such as lateral movement via Windows Management Instrumentation (WMIC.exe) and scheduled tasks, as well as persistence mechanisms including DLL side-loading and registry modifications. 

From Initial Access to Data Theft 

APT 30 and its affiliated groups typically gain initial access to their targets through spearphishing campaigns. These attacks often involve malicious document attachments, such as carefully crafted Word files, designed to entice recipients into opening them and unknowingly executing embedded malware. This method allows the attackers to establish a foothold within the victim’s network. 

Once inside, APT 30 utilizes a variety of execution techniques to move laterally and carry out its objectives. It frequently employs PowerShell commands, schedules tasks using tools like schtasks.exe, and leverages Windows Management Instrumentation (WMI) to execute payloads and navigate through compromised systems with stealth and efficiency. 

These groups use several sophisticated methods to maintain persistence and long-term control over infected environments. They exploit domain accounts to secure elevated access, and in some cases, such as with the Naikon subgroup, they utilize add-ins loaded via Word’s startup folder to drop secondary loaders. Additionally, modifying registry run keys and hijacking DLL search orders are common techniques used to ensure their malware remains active even after system reboots. 

APT 30 is also adept at evading detection. One common tactic is to masquerade malicious processes by renaming them to mimic legitimate applications like Task Manager, Google Chrome, Adobe software, or VMware executables. This deception makes it harder for security tools and analysts to identify malicious activity amidst normal system operations. 

The group carries out extensive reconnaissance within compromised networks to map out targets and identify valuable assets. They run commands such as “netsh interface show” to examine network configurations, use NetBIOS scanning to discover remote systems, and probe firewall and security settings to better understand defenses and find vulnerabilities to exploit. 

Finally, data exfiltration is typically conducted over unencrypted channels such as FTP. Tools like WinSCP transfer stolen information discreetly from the victim environment to attacker-controlled servers, completing their espionage missions by successfully extracting valuable intelligence. 

Conclusion 

APT 30 highlights how state-sponsored groups blend geopolitical goals with advanced cyber skills to conduct long-term espionage, especially in Southeast Asia and the U.S. To counter such threats, organizations need comprehensive intelligence and protection. 

Cyble provides an integrated platform combining AI-driven threat detection, attack surface management, dark web monitoring, and incident response. With Cyble’s solutions, businesses can proactively identify vulnerabilities, monitor emerging threats, and strengthen defenses to stay protected from threat actors like APT 30. 

Ready to see how Cyble can protect your organization from advanced threats like APT 30? 

Schedule a personalized demo today and discover tailored cybersecurity solutions designed to keep you one step ahead. 

Mitigation and Recommendations 

To fight against these groups, organizations must adopt a layered defense strategy, including: 

• Strong email filtering and user training to detect spear-phishing attempts 

• Regular patching of vulnerabilities in operating systems and applications 

• Strict credential management with multi-factor authentication and frequent password rotations 

• Network monitoring for unusual lateral movement and command execution patterns 

• Deploying endpoint detection and response (EDR) tools capable of identifying masqueraded processes 

• Incident response plans incorporating up-to-date threat intelligence 

MITRE ATT&CK Techniques Associated with the APT 30 Group 

• Spearphishing Attachment (T1566.001): APT30 uses spearphishing emails with malicious DOC attachments to gain access. 

• Windows Management Instrumentation (T1047): The TA uses WMIC.exe for lateral movement. 

• Scheduled Task (T1053.005): The TA uses schtasks.exe to move laterally within compromised networks. 

• PowerShell (T1059.001): Thrip employs PowerShell to run commands, download payloads, traverse networks, and conduct reconnaissance. 

• Malicious File (T1204.002): APT30 relies on users to execute malicious file attachments delivered via spearphishing emails. 

• Domain Accounts (T1078.002): The TA uses administrator credentials for lateral movement. 

• Add-ins (T1137.006): The TA drops a second-stage loader (intel.wll) into Word’s Startup folder using the RoyalRoad exploit builder. 

• Registry Run Keys / Startup Folder (T1547.001): The TA modifies Windows Run registry keys to maintain persistence. 

• DLL Search Order Hijacking (T1574.001): The TA performs DLL side-loading to load malicious DLLs into legitimate executables. 

• Masquerade Task or Service (T1036.004): The TA renames malicious services (e.g., taskmgr) to appear legitimate. 

• Match Legitimate Name or Location (T1036.005): The TA disguises malware as Google Chrome, Adobe, and VMware executables. 

• System Network Configuration Discovery (T1016): The TA uses commands like netsh interface show to identify network settings. 

• Remote System Discovery (T1018): The TA employs NetBIOS scanning to identify remote machines. 

• Network Service Discovery (T1046): The TA uses the LadonGo scanner to scan target networks. 

• Security Software Discovery (T1518.001): The TA runs commands such as netsh advfirewall firewall to discover firewall configurations. 

• Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003): Thrip uses WinSCP to exfiltrate data over FTP.