Skip to content


BACKSPACE is a backdoor used by APT30 that dates back to at least 2005. 1

Item Value
ID S0031
Associated Names
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols BACKSPACE uses HTTP as a transport to communicate with its command server.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.1
enterprise T1547.009 Shortcut Modification BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Adversaries can direct BACKSPACE to execute from the command line on infected hosts, or have BACKSPACE create a reverse shell.1
enterprise T1132 Data Encoding -
enterprise T1132.002 Non-Standard Encoding Newer variants of BACKSPACE will encode C2 communications with a custom system.1
enterprise T1041 Exfiltration Over C2 Channel Adversaries can direct BACKSPACE to upload files to the C2 Server.1
enterprise T1083 File and Directory Discovery BACKSPACE allows adversaries to search for files.1
enterprise T1562 Impair Defenses -
enterprise T1562.004 Disable or Modify System Firewall The “ZR” variant of BACKSPACE will check to see if known host-based firewalls are installed on the infected systems. BACKSPACE will attempt to establish a C2 channel, then will examine open windows to identify a pop-up from the firewall software and will simulate a mouse-click to allow the connection to proceed.1
enterprise T1112 Modify Registry BACKSPACE is capable of deleting Registry keys, sub-keys, and values on a victim system.1
enterprise T1104 Multi-Stage Channels BACKSPACE attempts to avoid detection by checking a first stage command and control server to determine if it should connect to the second stage server, which performs “louder” interactions with the malware.1
enterprise T1057 Process Discovery BACKSPACE may collect information about running processes.1
enterprise T1090 Proxy -
enterprise T1090.001 Internal Proxy The “ZJ” variant of BACKSPACE allows “ZJ link” infections with Internet access to relay traffic from “ZJ listen” to a command server.1
enterprise T1012 Query Registry BACKSPACE is capable of enumerating and making modifications to an infected system’s Registry.1
enterprise T1082 System Information Discovery During its initial execution, BACKSPACE extracts operating system information from the infected host.1

Groups That Use This Software

ID Name References
G0013 APT30 1


Back to top