APT30 (Threat Actor)

SYMBOL	COMMON_NAME	aka. SYNONYMS

APT30 (Back to overview)

aka: G0013, LOTUS PANDA, LotusBlossom, RADIUM, Raspberry Typhoon

APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches

Associated Families

win.chrysalis win.sagerunex

References

2026-02-03 ⋅ Kaspersky Labs ⋅ Anton Kargin, Georgy Kucherin
The Notepad++ supply chain attack — unnoticed execution chains and new IoCs
Chrysalis Cobalt Strike

2026-02-02 ⋅ Rapid7 ⋅ Ivan Feigl
The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit
Chrysalis

2026-01-02 ⋅ Securite360.net ⋅ Muffin
The Intriguing Lotus: A Deep Dive into Sagerunex
Sagerunex

2022-11-15 ⋅ Symantec ⋅ Threat Hunter Team
Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries
Sagerunex LOTUS PANDA

2022-11-15 ⋅ Symantec ⋅ Threat Hunter Team
Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries
Sagerunex

2022-08-04 ⋅ Mandiant ⋅ Mandiant
Advanced Persistent Threats (APTs)
APT1 APT10 APT12 APT14 APT15 APT16 APT17 APT18 APT19 APT2 APT20 APT21 APT22 APT23 APT24 APT27 APT3 APT30 APT31 APT4 APT40 APT5 APT9 Naikon

2022-05-04 ⋅ Cyware ⋅ Cyware
Chinese Naikon Group Back with New Espionage Attack
APT30 Naikon

2022-04-29 ⋅ Cluster25 ⋅ Cluster25
The LOTUS PANDA Is Awake, Again. Analysis Of Its Last Strike.
APT30 Naikon

2020-06-19 ⋅ Positive Technologies ⋅ Alexey Vishnyakov
The eagle eye is back: old and new backdoors from APT30
backspace NETEAGLE RCtrl RHttpCtrl APT30

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
BRONZE GENEVA
backspace APT30 Naikon

2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
APT1 APT10 APT2 APT26 APT3 APT30 APT41 Naikon Tonto Team

2019-03-22 ⋅ MITRE ⋅ MITRE
APT30
APT30

2019-01-01 ⋅ MITRE ⋅ MITRE ATT&CK
Group description: Naikon
APT30 Naikon

2019-01-01 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker
APT 30
APT30

2017-08-24 ⋅ Kaspersky Labs ⋅ Kaspersky
Naikon Targeted Attacks
APT30 Naikon

2015-05-29 ⋅ Kaspersky Labs ⋅ Kurt Baumgartner, Maxim Golovkin
THE MsnMM CAMPAIGNS: The Earliest Naikon APT Campaigns
APT30 Naikon

2015-05-14 ⋅ Kaspersky Labs ⋅ Kurt Baumgartner, Maxim Golovkin
The Naikon APT
Naikon SslMM Sys10 WinMM xsPlus APT30 Naikon

2015-04-15 ⋅ FireEye ⋅ FireEye
APT30 and the Mechanics of a Long-Running Cyber Espionage Campaign
backspace FLASHFLOOD NETEAGLE SHIPSHAPE SPACESHIP APT30

2015-04-01 ⋅ FireEye ⋅ FireEye
APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION
BACKBEND backspace CREAMSICLE FLASHFLOOD GEMCUTTER MILKMAID Naikon NETEAGLE ORANGEADE SHIPSHAPE SPACESHIP SslMM Sys10 WinMM xsPlus APT30

2015-01-01 ⋅ ThreatConnect ⋅ ThreatConnect
Naikon Tag in ThreatConnect Blogs
APT30 Naikon

2014-03-25 ⋅ FireEye ⋅ Alex Lanstein, Ned Moran
Spear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370
APT30 Naikon

2013-02-27 ⋅ Trend Micro ⋅ Abraham Camba
BKDR_RARSTONE: New RAT to Watch Out For
APT30

Credits: MISP Project