2015-04-01 APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION| Threat Intelligence Malaysia

📃Title: APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION
📅Date: 2015-04-01
🔗References:

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: TA-profile
target: targeted
MY-relevancy: relevant

🔖MISP Galaxies:

threat-actor= APT30
target-information=“India”
target-information=“Malaysia”
target-information=“Saudi Arabia”
target-information=“South Korea”
target-information=“Thailand”
target-information=“United States”
target-information=“Vietnam”
malpedia=“FLASHFLOOD”
malpedia=“NETEAGLE”
malpedia=“SHIPSHAPE”
malpedia=“SPACESHIP”
malpedia=“backspace”
country=“china”
malpedia=“GEMCUTTER”
malpedia=“MILKMAID”
malpedia=“ORANGEADE”
producer= Mandiant
mitre-attack-pattern=[]

MISP event uuid: 77d062bd-a5a0-479b-adf8-f777f635598d

Indicator of Compromise (IoCs)

type,value,comment
md5, 002e27938c9390a942cf4b4c319f1768, 'BACKSPACE'
md5, 062fe1336459a851bd0ea271bb2afe35, 'BACKSPACE'
md5, 09010917cd00dc8ddd21aeb066877aa2, 'BACKSPACE'
md5, 0fcb4ffe2eb391421ec876286c9ddb6c, 'BACKSPACE'
md5, 12e1dcd71693b6f875a98aefbd4ec91a, 'BACKSPACE'
md5, 1f64afa4069036513604cbf651e53e0d, 'BACKSPACE'
md5, 29395c528693b69233c1c12bef8a64b3, 'BACKSPACE'
md5, 37e568bed4ae057e548439dc811b4d3a, 'BACKSPACE'
md5, 40f47850c5ebf768fd1303a32310c73e, 'BACKSPACE'
md5, 414854a9b40f7757ed7bfc6a1b01250f, 'BACKSPACE'
md5, 428fc53c84e921ac518e54a5d055f54a, 'BACKSPACE'
md5, 4c10a1efed25b828e4785d9526507fbc, 'BACKSPACE'
md5, 4c6b21e98ca03e0ef0910e07cef45dac, 'BACKSPACE'
md5, 4e5c116d874bbaaf7d6dadec7be926f5, 'BACKSPACE'
md5, 550459b31d8dabaad1923565b7e50242, 'BACKSPACE'
md5, 59e055cee87d8faf6f701293e5830b5a, 'BACKSPACE'
md5, 5ae51243647b7d03a5cb20dccbc0d561, 'BACKSPACE'
md5, 5b590798da581c894d8a87964763aa8b, 'BACKSPACE'
md5, 62e5d5e244059dc02654f497401615cc, 'BACKSPACE'
md5, 65232a8d555d7c4f7bc0d7c5da08c593, 'BACKSPACE'
md5, 853a20f5fc6d16202828df132c41a061, 'BACKSPACE'
md5, 95bfe940816a89f168cacbc340eb4a5f, 'BACKSPACE'
md5, 9c0cad1560cd0ffe2aa570621ef7d0a0, 'BACKSPACE'
md5, a5ca2c5b4d8c0c1bc93570ed13dcab1a, 'BACKSPACE'
md5, a9e8e402a7ee459e4896d0ba83543684, 'BACKSPACE'
md5, acb2ba25ef225d820ac8a5923b746cb8, 'BACKSPACE'
md5, b2138a57f723326eda5a26d2dec56851, 'BACKSPACE'
md5, b590c15499448639c2748ff9e0d214b2, 'BACKSPACE'
md5, b7b282c9e3eca888cbdb5a856e07e8bd, 'BACKSPACE'
md5, ba80e3ad617e6998f3c4b003397db840, 'BACKSPACE'
md5, c95cd106c1fecbd500f4b97566d8dc96, 'BACKSPACE'
md5, d38e02eac7e3b299b46ff2607dd0f288, 'BACKSPACE'
md5, d8e68db503f4155ed1aeba95d1f5e3e4, 'BACKSPACE'
md5, d93026b1c6c828d0905a0868e4cbc55f, 'BACKSPACE'
md5, db3e5c2f2ce07c2d3fa38d6fc1ceb854, 'BACKSPACE'
md5, df1799845b51300b03072c6569ab96d5, 'BACKSPACE'
md5, e26a2afaaddfb09d9ede505c6f1cc4e3, 'BACKSPACE'
md5, e3ae3cbc024e39121c87d73e87bb2210, 'BACKSPACE'
md5, e62a63307deead5c9fcca6b9a2d51fb0, 'BACKSPACE'
md5, ec3905d8e100644ae96ad9b51d701a7f, 'BACKSPACE'
md5, ed151602dea80f39173c2f7b1dd58e06, 'BACKSPACE'
md5, 07bb30a2a42423e54f70af61e20edca3, 'BACKSPACE'
md5, 08f299c2d8cfe1ae64d71dfb15fe6e8d, 'BACKSPACE'
md5, 139158fe63a0e46639cc20b754a7c38c, 'BACKSPACE'
md5, 4a41c422e9eb29f5d722700b060bca11, 'BACKSPACE'
md5, 646e2cfa6aa457013769e2b89454acf7, 'BACKSPACE'
md5, 948a53450e1d7dc7535ea52ca7d5bddd, 'BACKSPACE'
md5, a2e0203e665976a13cdffb4416917250, 'BACKSPACE'
md5, ad044dc0e2e1eaa19cf031dbcff9d770, 'BACKSPACE'
md5, af1c1c5d8031c4942630b6a10270d8f4, 'BACKSPACE'
md5, c6e388ee5269239070e5ad7336d0bf59, 'BACKSPACE'
md5, c9484902c7f1756b26244d6d644c9dd5, 'BACKSPACE'
md5, cc06815e8d8c0083263651877decb44b, 'BACKSPACE'
md5, dc95b0e8ecb22ad607fc912219a640c1, 'BACKSPACE'
md5, f97ec83d68362e4dff4756ed1101fea8, 'BACKSPACE'
md5, 572c9cd4388699347c0b2edb7c6f5e25, 'BACKSPACE'
md5, 6e689351d94389ac6fdc341b859c7f6f, 'BACKSPACE'
md5, b5546842e08950bc17a438d785b5a019, 'BACKSPACE'
md5, 010ca5e1de980f5f45f9d82027e1606c, 'BACKSPACE'
md5, 0570066887f44bc6c82ebe033cad0451, 'BACKSPACE'
md5, 0a4fdacde69a566f53833500a0d53a35, 'BACKSPACE'
md5, 1133fe501fa4691b7f52e53706c80df9, 'BACKSPACE'
md5, 2a2b22aa94a59575ca1dea8dd489d2eb, 'BACKSPACE'
md5, 2d75de9e1bb58fe61fd971bb720a49b7, 'BACKSPACE'
md5, 40601cf29c1bbfe0942d1ac914d8ce27, 'BACKSPACE'
md5, 44992068aab25daa1decae93b25060af, 'BACKSPACE'
md5, 49ee6365618b2a5819d36a48131e280c, 'BACKSPACE'
md5, 4b8531d294c020d5f856b58a5a23b238, 'BACKSPACE'
md5, 4ee00c46da143ba70f7e6270960823be, 'BACKSPACE'
md5, 5ddbd80720997f7a8ff53396e8e8b920, 'BACKSPACE'
md5, 65b984b198359003a5a3b8aaf91af234, 'BACKSPACE'
md5, 6791254f160e98ac1f46b4d506b695ad, 'BACKSPACE'
md5, 7b111e1054b6b929de071c4f48386415, 'BACKSPACE'
md5, 8022a4136a6200580962da94f3cdb905, 'BACKSPACE'
md5, 8214b0e18fbcd5db6b008884e7685f2c, 'BACKSPACE'
md5, 8da9373fc5b8320fb04d6202ca1eb6f1, 'BACKSPACE'
md5, 9c31551cd8087072d08c9004c0ce76c5, 'BACKSPACE'
md5, 9cbcc68c9b913a5fda445fbc7558c658, 'BACKSPACE'
md5, 9e3ef98abcfffcf3205261e09e06cba6, 'BACKSPACE'
md5, ab153afbfbcfc8c67cf055b0111f0003, 'BACKSPACE'
md5, c90f798ccfbedb4bbe6c4568e0f05b68, 'BACKSPACE'
md5, cb1087b2add3245418257d648ac9e9a7, 'BACKSPACE'
md5, cd1aa1c8cdf4a4ba8dc4309ce30ec263, 'BACKSPACE'
md5, d55514d8b97999453621a8614090cbf0, 'BACKSPACE'
md5, d8248be5ed0f2f8f9787be331a18c36b, 'BACKSPACE'
md5, da92b863095ee730aef6c6c541ab7697, 'BACKSPACE'
md5, f4a648a2382c51ca367be87d05628cff, 'BACKSPACE'
md5, ff00682b0b8c8d13b797d722d9048ea2, 'BACKSPACE'
md5, 0cdc35ffc222a714ee138b57d29c8749, 'BACKSPACE'
md5, 10aa368899774463a355f1397e6e5151, 'BACKSPACE'
md5, 3166baffecccd0934bdc657c01491094, 'BACKSPACE'
md5, d28d67b4397b7ce1508d10bf3054ffe5, 'BACKSPACE'
md5, 310a4a62ba3765cbf8e8bbb9f324c503, 'BACKSPACE'
md5, 23813c5bf6a7af322b40bd2fd94bd42e, 'BACKSPACE'
md5, 6508ee27afe517aa846f9447faef59b8, 'BACKSPACE'
md5, 78c4fcee5b7fdbabf3b9941225d95166, 'BACKSPACE'
md5, 8c713117af4ca6bbd69292a78069e75b, 'BACKSPACE'
md5, 8c9db773d387bf9b3f2b6a532e4c937c, 'BACKSPACE'
md5, ebf42e8b532e2f3b19046b028b5dfb23, 'BACKSPACE'
md5, fe211c7a081c1dac46e3935f7c614549, 'BACKSPACE'
md5, 6f931c15789d234881be8ae8ccfe33f4, 'BACKSPACE'
md5, 1dbb584e19499e26398fb0a7aa2a01b7, 'BACKSPACE'
md5, 37aee58655f5859e60ece6b249107b87, 'BACKSPACE'
md5, 4154548e1f8e9e7eb39d48a4cd75bcd1, 'BACKSPACE'
md5, 71f25831681c19ea17b2f2a84a41bbfb, 'BACKSPACE'
md5, 8ff473bedbcc77df2c49a91167b1abeb, 'BACKSPACE'
md5, a813eba27b2166620bd75029cc1f04b0, 'BACKSPACE'
md5, b4ae0004094b37a40978ef06f311a75e, 'BACKSPACE'
md5, c4dec6d69d8035d481e4f2c86f580e81, 'BACKSPACE'
md5, 021e134c48cd9ce9eaf6a1c105197e5d, 'NETEAGLE (Scout)'
md5, 5eaf3deaaf2efac92c73ada82a651afe, 'NETEAGLE (Scout)'
md5, 7c307ca84f922674049c0c43ca09bec1, 'NETEAGLE (Scout)'
md5, b8617302180d331e197cc0433fc5023d, 'NETEAGLE (Scout)'
md5, e6289e7f9f26be692cbe6f335a706014, 'NETEAGLE (Scout)'
md5, 95bb314fe8fdbe4df31a6d23b0d378bc, 'NETEAGLE (Scout)'
md5, d97aace631d6f089595f5ce177f54a39, 'NETEAGLE (Norton)'
md5, 0c4fcef3b583d0ffffc2b14b9297d3a4, 'SHIPSHAPE'
md5, 1612b392d6145bfb0c43f8a48d78c75f, 'SHIPSHAPE'
md5, 168d207d0599ed0bb5bcfca3b3e7a9d3, 'SHIPSHAPE'
md5, 1e6ee89fddcf23132ee12802337add61, 'SHIPSHAPE'
md5, 42ccbccf48fe1cb63a81c9f094465ae2, 'SHIPSHAPE'
md5, 4f00235b5208c128440c5693b7b85366, 'SHIPSHAPE'
md5, 53f1358cbc298da96ec56e9a08851b4b, 'SHIPSHAPE'
md5, 5dd625af837e164dd2084b1f44a45808, 'SHIPSHAPE'
md5, 9e27277ef0b6b25ccb2bb79dbf7554a7, 'SHIPSHAPE'
md5, b249bcf741e076f11b6c9553f6104f16, 'SHIPSHAPE'
md5, bbb3cb030686748b1244276e15085153, 'SHIPSHAPE'
md5, c2acc9fc9b0f050ec2103d3ba9cb11c0, 'SHIPSHAPE'
md5, e39756bc99ee1b05e5ee92a1cdd5faf4, 'SHIPSHAPE'
md5, f18be055fae2490221c926e2ad55ab11, 'SHIPSHAPE'
md5, 01d2383152795e4ec98b874cd585da30, 'SPACESHIP'
md5, 08b54f9b2b3fb19e388d390d278f3e44, 'SPACESHIP'
md5, 11876eaadeac34527c28f4ddfadd1e8d, 'SPACESHIP'
md5, 28f2396a1e306d05519b97a3a46ee925, 'SPACESHIP'
md5, 80e39b656f9a77503fa3e6b7dd123ee3, 'SPACESHIP'
md5, 8e2eee994cd1922e82dea58705cc9631, 'SPACESHIP'
md5, b6c08fd8a9f32a17c3550d3b2d302dc5, 'SPACESHIP'
md5, c4c068200ad8033a0f0cf28507b51842, 'SPACESHIP'
md5, d591dc11ecffdfaf1626c1055417a50d, 'SPACESHIP'
md5, e9e514f8b1561011b4f034263c33a890, 'SPACESHIP'
md5, 1b81b80ff0edf57da2440456d516cc90, 'FLASHFLOOD'
md5, 5d4f2871fd1818527ebd65b0ff930a77, 'FLASHFLOOD'
md5, 74b87086887e0c67ffb035069b195ac7, 'FLASHFLOOD'
md5, af670600dee2bf13a68eb962cce8f122, 'FLASHFLOOD'
md5, b5a343d11e1f7340de99118ce9fc1bbb, 'FLASHFLOOD'
md5, fad06d7b4450c4631302264486611ec3, 'FLASHFLOOD'
md5, 49aca228674651cba776be727bdb7e60, 'MILKMAID'
md5, 5c7a6b3d1b85fad17333e02608844703, 'MILKMAID'
md5, 649fa64127fef1305ba141dd58fb83a5, 'MILKMAID'
md5, 9982fd829c0048c8f89620691316763a, 'MILKMAID'
md5, baff5262ae01a9217b10fcd5dad9d1d5, 'MILKMAID'
md5, 592381dfa14e61bce089cd00c9b118ae, 'ORANGEADE'
md5, b493ad490b691b8732983dcca8ea8b6f, 'ORANGEADE'
md5, b83d43e3b2f0b0a0e5cc047ef258c2cb, 'ORANGEADE'
md5, 35dfb55f419f476a54241f46e624a1a4, 'CREAMSICLE'
md5, 4fffcbdd4804f6952e0daf2d67507946, 'CREAMSICLE'
md5, 597805832d45d522c4882f21db800ecf, 'CREAMSICLE'
md5, 6bd422d56e85024e67cc12207e330984, 'CREAMSICLE'
md5, 82e13f3031130bd9d567c46a9c71ef2b, 'CREAMSICLE'
md5, b79d87ff6de654130da95c73f66c15fa, 'CREAMSICLE'
md5, 44b98f22155f420af4528d17bb4a5ec8, 'BACKBEND'
md5, 6ba315275561d99b1eb8fc614ff0b2b3, 'BACKBEND'
md5, ee1b23c97f809151805792f8778ead74, 'BACKBEND'
md5, bf8616bbed6d804a3dea09b230c2ab0c, 'GEMCUTTER'
hostname, www.km153.com, 'BACKSPACE controller version check and self-update'
domain, aseanm.com, 'BACKSPACE C2'
hostname, www.creammemory.com, 'NETEAGLE C2'
hostname, www.iapfreecenter.com, 'Primary BACKSPACE C2 domain'
hostname, www.appsecnic.com, 'Backup BACKSPACE C2 domain; run/hide configuration'
hostname, www.newpresses.com, 'BACKSPACE Run/hide configuration'
url, www.iapfreecenter.com/Lnk1z/hostlist.txt, 'BACKSPACE attempts to contact its C2 servers for validation and to obtain configuration data'
url, www.newpresses.com/http/nur.txt, ''
url, www.km153.com/http/nur.txt, ''
url, www.appsecnic.com/http/nur.txt, ''
url, www.iapfreecenter.com/Lnk1z, ''
url, www.newpresses.com/some/edih.txt, ''
url, www.km153.com/some/edih.txt, ''
url, www.appsecnic.com/some/edih.txt, ''
hostname, www.bigfixtools.com, 'primary first-stage C2 domain'
hostname, www.km-nyc.com, 'Used to obtain “run/hide” configuration data'
hostname, www.bluesixnine.com, 'Used to obtain “run/hide” configuration data'
hostname, www.autoapec.com, 'NETEAGLE first attempts to retrieve the file allupdate.xml'
url, http://www.autoapec.com/yzstmfa/update.xml, 'NETEAGLE'
url, http://www.autoapec.com/yzstmfa/updateapp.xml, 'NETEAGLE'
url, http://www.autoapec.com/yzstmfa/pic1.bmp, 'NETEAGLE'
url, http://www.creammemory.com/update1/pic2.bmp, 'NETEAGLE'

Full IOCs available in Rectifyq’s MISP

Rectifyq

Explorer

2015-04-01 APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION

Indicator of Compromise (IoCs)

🔴 Latest Relevant 🇲🇾 Threat Articles

2026-04-30 Inside Shadow-Earth-053 A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

2026-04-29 Phoenix Rising Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns

2026-04-21 GhostCargo, a 5-years campaign

Graph View