{ "id": "bd613861-8e7c-4dac-9a25-bd0bd5ff38cb", "created_at": "2026-04-06T00:21:21.50636Z", "updated_at": "2026-04-10T03:36:00.56907Z", "deleted_at": null, "sha1_hash": "3a597a0c55b0f2a8484f8fc0ee579f289a2bb45a", "title": "Read Featured Article \"Whois Numbered Panda\" by Adam Meyers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44078, "plain_text": "Read Featured Article \"Whois Numbered Panda\" by Adam\r\nMeyers\r\nBy AdamM\r\nArchived: 2026-04-05 15:54:28 UTC\r\nLast week's Intelligence blog post featured Anchor Panda, one of the many adversary groups that CrowdStrike\r\ntracks. The adversary is the human component in an attack that one should focus on. It is not sufficient to simply\r\nidentify 'Chinese-based hackers'; it is important to understand the adversary group that has targeted your enterprise\r\nand what intelligence they are there to collect. By understanding that there are multiple groups and that they all\r\nhave different tactics, techniques, and practices (TTPs), you can begin to understand the nature of the threat, what\r\nthey are looking to collect, and raise the operational cost in order to make targeting your enterprise a costly and\r\ndifficult endeavor. Attribution is a tricky subject with regard to incident response and intrusion investigation; it\r\ncan take years of research to get the home address or the location of the Technical ReconnaissanceBureau(TRB)\r\naffiliated with the threat actor. We have to rely on the categorization of the adversary and understanding their\r\nTTPs, victims, objectives, and prior art to fully evaluate the threat that adversary poses to us. Understanding the\r\ntasking orders the adversary has received can be revealing of the adversary, who they are working for, and their\r\nfuture targeting objectives.If we understand that an adversary has targeted a high-tech company's intellectual\r\nproperty, then when we encounter that adversary at a different technology company, we have a pretty good idea\r\nwhat they are after. Victims of a targeted attack by a “known” adversary benefit from understanding their intent in\r\norder to help gauge response and hopefully make strategic decisions about what is the appropriate\r\ncountermeasure. If the adversary is known to target mergers and acquisitions intelligence of companies involved\r\nin the Chinese market, then when that adversary shows up prior to, or during, some M\u0026A activity, the victim can\r\nbegin to take actions to limit the effectiveness of the compromised data, feed deceptive information or perhaps\r\nwage a formal complaint. With this in mind, this week we are providing some indicators for a China based\r\nadversary who we crypt as “NUMBERED PANDA.” Numbered Panda has a long list of high-profile victims and\r\nis known by a number of names including: DYNCALC, IXESHE, JOY RAT, APT-12, etc. Numbered Panda has\r\ntargeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple\r\ngovernments. Numbered Panda has targeted organizations in time-sensitive operations such as the Fukushima\r\nReactor Incident of 2011, likely filling intelligence gaps in the ground cleanup/mitigation operations. Screen saver\r\nfiles, which are binary executables and PDF documents, are common Numbered Panda weaponization tactics. One\r\nof the most interesting techniques that Numbered Panda likes to use is to dynamically calculate the Command and\r\nControl (C2) port by resolving a DNS. This effectively helps Numbered Panda bypass egress filtering\r\nimplemented to prevent unauthorized communications on some enterprises. The malware will typically use two\r\nDNS names for communication: one is used for command and control; the other is used with an algorithm to\r\ncalculate the port to communicate to. There are several variations of the algorithm used to calculate the C2 port,\r\nbut one of the most common is to multiply the first two octets of the IP address and add the third octet to that\r\nvalue. This is typically represented as: (A * B) + C - common values might be 200.2.43.X, which would result in\r\ncommunication on port 443. Numbered Panda will frequently use blogs or WordPress in the c2 infrastructure,\r\nwhich helps to make the network traffic look more legitimate. CrowdStrike has observed Numbered Panda\r\nhttp://www.crowdstrike.com/blog/whois-numbered-panda/\r\nPage 1 of 2\n\ntargeting high-tech, defense contractors, media organizations, and western governments. The following intrusion\r\ndetection rules were written and tested by the CrowdStrike Global Threat Analysis Cell (GTAC) with performance\r\nand low false positives in mind - just remember to change the Signature ID (SID) in the IDS rules. Disclosure of\r\nthis information went through the same IGL process as discussed in theWhois Anchor Panda blog post.\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any (msg: \"\r\nNUMBERED PANDA - Joy RAT Variant 1\"; flow: from_client,established;\r\ncontent: \"6YmV|7c 22|\"; depth: 6; sid: xxx; rev: 2; )\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any (msg: \"\r\nNUMBERED PANDA - Joy RAT Variant 2\"; flow: from_client, established;\r\ncontent: \"Fyoj`U\"; depth: 6; sid: xxx; rev: 2;)\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any (msg: \"\r\nNUMBERED PANDA - Joy RAT Variant 3\"; flow: from_client,established;\r\ncontent: \"yb|13|j\u003c\"; depth: 5; sid: xxx; rev: 2;)\r\nBe sure to follow@CrowdStrikeon Twitter as we continue to provide more intelligence and adversaries over the\r\ncoming weeks. If you have any questions about these signatures or want to hear more about Numbered Panda and\r\ntheir tradecraft, please contact: intelligence@crowdstrike.comand inquire about our intelligence-as-a-service\r\nsolutions.\r\nSource: http://www.crowdstrike.com/blog/whois-numbered-panda/\r\nhttp://www.crowdstrike.com/blog/whois-numbered-panda/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "MITRE" ], "references": [ "http://www.crowdstrike.com/blog/whois-numbered-panda/" ], "report_names": [ "whois-numbered-panda" ], "threat_actors": [ { "id": "c5f79f58-db78-4cd7-88cf-c029a2199360", "created_at": "2022-10-25T16:07:23.325227Z", "updated_at": "2026-04-10T02:00:04.542909Z", "deleted_at": null, "main_name": "APT 12", "aliases": [ "APT 12", "BeeBus", "Bronze Globe", "CTG-8223", "Calc Team", "Crimson Iron", "DNSCalc", "DynCALC", "G0005", "Group 22", "Hexagon Typhoon", "Numbered Panda" ], "source_name": "ETDA:APT 12", "tools": [ "AUMLIB", "ETUMBOT", "Exploz", "Graftor", "HIGHTIDE", "IHEATE", "IXESHE", "RIPTIDE", "RapidStealer", "Specfix", "THREEBYTE", "bbsinfo", "mswab", "yayih" ], "source_id": "ETDA", "reports": null }, { "id": "c6604303-a1c8-4e59-ba12-5da5c0bc6877", "created_at": "2023-01-06T13:46:38.312359Z", "updated_at": "2026-04-10T02:00:02.923025Z", "deleted_at": null, "main_name": "APT14", "aliases": [ "ANCHOR PANDA", "QAZTeam" ], "source_name": "MISPGALAXY:APT14", "tools": [ "Backdoor.Win32.PoisonIvy", "Gen:Trojan.Heur.PT", "Torn RAT", "Anchor Panda", "Gh0st Rat", "Gh0stRat, GhostRat", "Poison Ivy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "d18fe42c-8407-4f96-aee0-a04e6dce219a", "created_at": "2023-01-06T13:46:38.275292Z", "updated_at": "2026-04-10T02:00:02.907303Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "Group 22", "Calc Team", "DNSCalc", "IXESHE", "Hexagon Typhoon", "BeeBus", "DynCalc", "Crimson Iron", "BRONZE GLOBE", "NUMBERED PANDA", "TG-2754" ], "source_name": "MISPGALAXY:APT12", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "25a38dea-d23b-479b-9548-024e955b8964", "created_at": "2022-10-25T16:07:23.305911Z", "updated_at": "2026-04-10T02:00:04.533448Z", "deleted_at": null, "main_name": "Anchor Panda", "aliases": [ "APT 14", "Anchor Panda", "QAZTeam" ], "source_name": "ETDA:Anchor Panda", "tools": [ "AngryRebel", "Chymine", "Darkmoon", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Moudour", "Mydoor", "PCRat", "Poison Ivy", "SPIVY", "Torn RAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "6a660ea2-1118-404a-9f8f-f0d6a1e9f184", "created_at": "2022-10-25T15:50:23.685924Z", "updated_at": "2026-04-10T02:00:05.364493Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "APT12", "IXESHE", "DynCalc", "Numbered Panda", "DNSCALC" ], "source_name": "MITRE:APT12", "tools": [ "Ixeshe", "RIPTIDE", "HTRAN" ], "source_id": "MITRE", "reports": null }, { "id": "dc0eb4da-1f8c-4f2a-9530-62b0efbb1c35", "created_at": "2025-08-07T02:03:24.608888Z", "updated_at": "2026-04-10T02:00:03.749632Z", "deleted_at": null, "main_name": "BRONZE GLOBE", "aliases": [ "APT12 ", "CTG-8223 ", "DyncCalc ", "Numbered Panda ", "PortCalc" ], "source_name": "Secureworks:BRONZE GLOBE", "tools": [ "Badpuck", "BeepService", "Etumbot", "Gh0st RAT", "Ixeshe", "Mswab", "RAdmin", "Seatran", "SvcInstaller", "Ziyang" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434881, "ts_updated_at": 1775792160, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3a597a0c55b0f2a8484f8fc0ee579f289a2bb45a.pdf", "text": "https://archive.orkl.eu/3a597a0c55b0f2a8484f8fc0ee579f289a2bb45a.txt", "img": "https://archive.orkl.eu/3a597a0c55b0f2a8484f8fc0ee579f289a2bb45a.jpg" } }