{ "id": "d970b8b7-7293-4ced-a449-8c8b78cdd7cd", "created_at": "2026-04-06T03:37:42.792943Z", "updated_at": "2026-04-10T03:37:26.375694Z", "deleted_at": null, "sha1_hash": "c30b2c205c2e4d5069f4dac557a7fa31d1973e35", "title": "Numbered Panda", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 131919, "plain_text": "Numbered Panda\r\nBy Contributors to Wikimedia projects\r\nPublished: 2017-04-15 · Archived: 2026-04-06 03:26:44 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nNumbered Panda\r\nCountry People's Republic of China\r\nBranch People's Liberation Army\r\nType\r\nCyber force\r\nAdvanced persistent threat\r\nRole\r\nCyber warfare\r\nElectronic warfare\r\nEngagements\r\nOperation Double Tap\r\nOperation Clandestine Fox\r\nNumbered Panda (also known as IXESHE, DynCalc, DNSCALC, and APT12) is a cyber espionage group\r\nbelieved to be linked with the Chinese military.\r\n[1]\r\n The group typically targets organizations in East Asia.\r\n[1]\r\n These\r\norganizations include, but are not limited to, media outlets, high-tech companies, and governments.[2] Numbered\r\nPanda is believed to have been operating since 2009.[3] However, the group is also credited with a 2012 data\r\nbreach at the New York Times.\r\n[4]\r\n One of the group's typical techniques is to send PDF files loaded with malware\r\nvia spear phishing campaigns.[5] The decoy documents are typically written in traditional Chinese, which is\r\nwidely used in Taiwan, and the targets are largely associated with Taiwanese interests.[3] Numbered Panda appears\r\nto be actively seeking out cybersecurity research relating to the malware they use. After an Arbor Networks report\r\non the group, FireEye noticed a change in the group's techniques to avoid future detection.[1]\r\nDiscovery and security reports\r\n[edit]\r\nTrend Micro first reported on Numbered Panda in a 2012 white paper.\r\n[5]\r\n Researchers discovered that the group\r\nlaunched spear phishing campaigns, using the Ixeshe malware, primarily against East Asian nations since\r\napproximately 2009.[5] CrowdStrike further discussed the group in the 2013 blog post Whois Numbered Panda.\r\n[2]\r\nThis post followed the 2012 attack on the New York Times and its subsequent 2013 reporting on the attack.[4] In\r\nhttps://en.wikipedia.org/wiki/Numbered_Panda\r\nPage 1 of 4\n\nJune 2014, Arbor Networks released a report detailing Numbered Panda's use of Etumbot to target Taiwan and\r\nJapan.\r\n[3]\r\n In September 2014, FireEye released a report highlighting the group's evolution.[1] FireEye linked the\r\nrelease of Arbor Network's report to Numbered Panda's change in tactics.[1]\r\nEast Asian Nations (2009-2011)\r\n[edit]\r\nTrend Micro reported on a campaign against East Asian governments, electronics manufacturers, and a\r\ntelecommunications company.\r\n[5]\r\n Numbered Panda engaged in spear phishing email campaigns with malicious\r\nattachments.[5] Often, the malicious email attachments would be PDF files that exploited CVE-2009-4324, CVE-2009-09274, CVE-2011-06095, or CVE-CVE-2011-0611 vulnerabilities in Adobe Acrobat, Adobe Reader, and\r\nFlash Player.\r\n[5]\r\n The attackers also used an exploit that affected Microsoft Excel - CVE-2009-3129.\r\n[5]\r\n The Ixeshe\r\nmalware used in this campaign allowed Numbered Panda to list all services, processes, and drives; terminate\r\nprocesses and services; download and upload files; start processes and services; get victims’ user names; get a\r\nmachine's name and domain name; download and execute arbitrary files; cause a system to pause or sleep for a\r\nspecified number of minutes; spawn a remote shell; and list all current files and directories.[5] After installation,\r\nIxeshe would start communicating with command-and-control servers; oftentimes three servers were hard-coded\r\nfor redundancy.\r\n[5]\r\n Numbered Panda often used compromised servers to create these command-and-control servers\r\nto increase control of a victim's network infrastructure.[5] Using this technique, the group is believed to have\r\namassed sixty servers by 2012.[5] A majority of the command-and-control servers used from this campaign were\r\nlocated in Taiwan and the United States.[5] Base64 was used for communication between the compromised\r\ncomputer and the server.\r\n[5]\r\n Trend Micro found that, once decoded, the communication was a standardized\r\nstructure that detailed the computer's name, local IP address, proxy server IP and port, and the malware ID.[5]\r\nResearchers at CrowdStrike found that blogs and WordPress sites were frequently used in the command-and-control infrastructure to make the network traffic look more legitimate.[2]\r\nJapan and Taiwan (2011-2014)\r\n[edit]\r\nAn Arbor Security report found that Numbered Panda began a campaign against Japan and Taiwan using the\r\nEtumbot malware in 2011.[3] Similar to the previously observed campaign, the attackers would use decoy files,\r\nsuch as PDF, Excel spreadsheets, or Word documents, as email attachments to gain access to victims' computers.\r\n[3]\r\n Most of the documents observed were written in Traditional Chinese and usually pertained to Taiwanese\r\ngovernment interests; several of the files related to upcoming conferences in Taiwan.[3] Once the malicious file\r\nwas downloaded and extracted by the victim, Etumbot uses a right-to-left override exploit to trick the victim to\r\ndownload the malware installer.\r\n[3]\r\n According to Arbor Security, the \"technique is a simple way for malware\r\nwriters to disguise the names of malicious files. A hidden Unicode character in the filename will reverse the order\r\nof the characters that follow it, so that a .scr binary file appears to be a .xls document, for example.\"[3] Once the\r\nmalware is installed, it sends a request to a command-and-control server with a RC4 key to encrypt subsequent\r\ncommunication.[3] As was with the Ixeshe malware, Numbered Panda used Base64 encoded characters to\r\nhttps://en.wikipedia.org/wiki/Numbered_Panda\r\nPage 2 of 4\n\ncommunicate from compromised computers to the command-and-control servers.[3]\r\n Etumbot is able to determine\r\nif the target computer is using a proxy and will bypass the proxy settings to directly establish a connection.[3]\r\nAfter communication is established, the malware will send an encrypted message from the infected computer to\r\nthe server with the NetBIOS name of the victim's system, user name, IP address, and if the system is using a\r\nproxy.\r\n[3]\r\nAfter the May 2014 Arbor Security report detailed Etumbot, FireEye discovered that Numbered Panda changed\r\nparts of the malware.[1] FireEye noticed that the protocols and strings previously used were changed in June 2014.\r\n[1]\r\n The researchers at FireEye believe this change was to help the malware evade further detection.[1] FireEye\r\nnamed this new version of Etumbot HighTide.[1] Numbered Panda continued to target Taiwan with spear phishing\r\nemail campaigns with malicious attachments.[1] Attached Microsoft Word documents exploited the CVE-2012-\r\n0158 vulnerability to help propagate HighTide.[1] FireEye found that compromised Taiwanese government\r\nemployee email accounts were used in some of the spear phishing.[1] HighTide differs from Etumbot in that its\r\nHTTP GET request changed the User Agent, the format and structure of the HTTP Uniform Resource Identifier,\r\nthe executable file location, and the image base address.[1]\r\nNew York Times (2012)\r\n[edit]\r\nNumbered Panda is believed to be responsible for the computer network breach at the New York Times in late\r\n2012.[6][4] The attack occurred after the New York Times published a story about how the relatives of Wen Jiabao,\r\nthe sixth Premier of the State Council of the People's Republic of China, \"accumulated a fortune worth several\r\nbillion dollars through business dealings.\"[4] The computers used to launch the attack are believed to be the same\r\nuniversity computers used by the Chinese military to attack United States military contractors.\r\n[4]\r\n Numbered Panda\r\nused updated versions of the malware packages Aumlib and Ixeshe.[6] The updated Aumlib allowed Numbered\r\nPanda to encode the body of a POST request to gather a victim's BIOS, external IP, and operating system.\r\n[6]\r\n A\r\nnew version of Ixeshe altered the previous version's network traffic pattern in an effort to evade existing network\r\ntraffic signatures designed to detect Ixeshe related infections.[6]\r\n1. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n \r\nf\r\n \r\ng\r\n \r\nh\r\n \r\ni\r\n \r\nj\r\n \r\nk\r\n \r\nl\r\n m Moran, Ned; Oppenheim, Mike (3 September 2014). \"Darwin's Favorite\r\nAPT Group\". Threat Research Blog. FireEye. Archived from the original on 18 July 2017. Retrieved 15\r\nApril 2017.\r\n2. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n Meyers, Adam (29 March 2013). \"Whois Numbered Panda\". CrowdStrike. Archived\r\nfrom the original on 16 March 2016. Retrieved 15 April 2017.\r\n3. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n \r\nf\r\n \r\ng\r\n \r\nh\r\n \r\ni\r\n \r\nj\r\n \r\nk\r\n \r\nl\r\n \"Illuminating the Etumbot APT Backdoor\" (PDF). Arbor Networks. June\r\n2014.\r\n4. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n Perlroth, Nicole (2013-01-30). \"Chinese Hackers Infiltrate New York Times\r\nComputers\". The New York Times. ISSN 0362-4331. Archived from the original on 2017-04-30. Retrieved\r\n2017-04-24.\r\nhttps://en.wikipedia.org/wiki/Numbered_Panda\r\nPage 3 of 4\n\n5. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n \r\nf\r\n \r\ng\r\n \r\nh\r\n \r\ni\r\n \r\nj\r\n \r\nk\r\n \r\nl\r\n m\r\nn\r\n Sancho, David; Torre, Jessa dela; Bakuei, Matsukawa; Villeneuve,\r\nNart; McArdle, Robert (2012). \"IXESHE: An APT Campaign\" (PDF). Trend Micro. Archived (PDF) from\r\nthe original on 2018-03-07. Retrieved 2017-04-15.\r\n6. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \"Survival of the Fittest: New York Times Attackers Evolve Quickly « Threat Research\r\nBlog\". FireEye. Archived from the original on 2018-05-21. Retrieved 2017-04-24.\r\nSource: https://en.wikipedia.org/wiki/Numbered_Panda\r\nhttps://en.wikipedia.org/wiki/Numbered_Panda\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://en.wikipedia.org/wiki/Numbered_Panda" ], "report_names": [ "Numbered_Panda" ], "threat_actors": [ { "id": "c5f79f58-db78-4cd7-88cf-c029a2199360", "created_at": "2022-10-25T16:07:23.325227Z", "updated_at": "2026-04-10T02:00:04.542909Z", "deleted_at": null, "main_name": "APT 12", "aliases": [ "APT 12", "BeeBus", "Bronze Globe", "CTG-8223", "Calc Team", "Crimson Iron", "DNSCalc", "DynCALC", "G0005", "Group 22", "Hexagon Typhoon", "Numbered Panda" ], "source_name": "ETDA:APT 12", "tools": [ "AUMLIB", "ETUMBOT", "Exploz", "Graftor", "HIGHTIDE", "IHEATE", "IXESHE", "RIPTIDE", "RapidStealer", "Specfix", "THREEBYTE", "bbsinfo", "mswab", "yayih" ], "source_id": "ETDA", "reports": null }, { "id": "d18fe42c-8407-4f96-aee0-a04e6dce219a", "created_at": "2023-01-06T13:46:38.275292Z", "updated_at": "2026-04-10T02:00:02.907303Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "Group 22", "Calc Team", "DNSCalc", "IXESHE", "Hexagon Typhoon", "BeeBus", "DynCalc", "Crimson Iron", "BRONZE GLOBE", "NUMBERED PANDA", "TG-2754" ], "source_name": "MISPGALAXY:APT12", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a660ea2-1118-404a-9f8f-f0d6a1e9f184", "created_at": "2022-10-25T15:50:23.685924Z", "updated_at": "2026-04-10T02:00:05.364493Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "APT12", "IXESHE", "DynCalc", "Numbered Panda", "DNSCALC" ], "source_name": "MITRE:APT12", "tools": [ "Ixeshe", "RIPTIDE", "HTRAN" ], "source_id": "MITRE", "reports": null }, { "id": "dc0eb4da-1f8c-4f2a-9530-62b0efbb1c35", "created_at": "2025-08-07T02:03:24.608888Z", "updated_at": "2026-04-10T02:00:03.749632Z", "deleted_at": null, "main_name": "BRONZE GLOBE", "aliases": [ "APT12 ", "CTG-8223 ", "DyncCalc ", "Numbered Panda ", "PortCalc" ], "source_name": "Secureworks:BRONZE GLOBE", "tools": [ "Badpuck", "BeepService", "Etumbot", "Gh0st RAT", "Ixeshe", "Mswab", "RAdmin", "Seatran", "SvcInstaller", "Ziyang" ], "source_id": "Secureworks", "reports": null }, { "id": "06f622cb-3a78-49cf-9a4c-a6007a69325f", "created_at": "2022-10-25T16:07:23.315239Z", "updated_at": "2026-04-10T02:00:04.537826Z", "deleted_at": null, "main_name": "APT 3", "aliases": [ "APT 3", "Boron", "Brocade Typhoon", "Bronze Mayfair", "Buckeye", "G0022", "Gothic Panda", "Group 6", "Operation Clandestine Fox", "Operation Clandestine Fox, Part Deux", "Operation Clandestine Wolf", "Operation Double Tap", "Red Sylvan", "TG-0110", "UPS Team" ], "source_name": "ETDA:APT 3", "tools": [ "APT3 Keylogger", "Agent.dhwf", "BKDR_HUPIGON", "Backdoor.APT.CookieCutter", "Badey", "Bemstour", "CookieCutter", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EXL", "EternalBlue", "HTran", "HUC Packet Transmit Tool", "Hupigon", "Hupigon RAT", "Kaba", "Korplug", "LaZagne", "MFC Huner", "OSInfo", "Pirpi", "PlugX", "RedDelta", "RemoteCMD", "SHOTPUT", "Sogu", "TIGERPLUG", "TTCalc", "TVT", "Thoper", "Xamtrav", "remotecmd", "shareip", "w32times" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446662, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c30b2c205c2e4d5069f4dac557a7fa31d1973e35.pdf", "text": "https://archive.orkl.eu/c30b2c205c2e4d5069f4dac557a7fa31d1973e35.txt", "img": "https://archive.orkl.eu/c30b2c205c2e4d5069f4dac557a7fa31d1973e35.jpg" } }