{ "id": "bbc65801-8f4a-4ee0-8b90-55a236cccc44", "created_at": "2026-04-06T01:29:31.001592Z", "updated_at": "2026-04-10T03:36:00.543869Z", "deleted_at": null, "sha1_hash": "d548f0ca881bd306ce510e1c3a7afdbdd33115f2", "title": "APT 12, Numbered Panda - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 67993, "plain_text": "APT 12, Numbered Panda - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-06 01:07:17 UTC\r\nHome \u003e List all groups \u003e APT 12, Numbered Panda\r\n APT group: APT 12, Numbered Panda\r\nNames\r\nAPT 12 (Mandiant)\r\nNumbered Panda (CrowdStrike)\r\nCTG-8223 (SecureWorks)\r\nBronze Globe (SecureWorks)\r\nBeeBus (FireEye)\r\nCalc Team (Symantec)\r\nDynCALC (Symantec)\r\nDNSCalc (Symantec)\r\nGroup 22 (Talos)\r\nCrimson Iron (ThreatConnect)\r\nHexagon Typhoon (Microsoft)\r\nG0005 (MITRE)\r\nCountry China\r\nSponsor State-sponsored\r\nMotivation Information theft and espionage\r\nFirst seen 2009\r\nDescription (CrowdStrike) Numbered Panda has a long list of high-profile victims and is known\r\nby a number of names including: DYNCALC, IXESHE, JOY RAT, APT-12, etc.\r\nNumbered Panda has targeted a variety of victims including but not limited to media\r\noutlets, high-tech companies, and multiple governments. Numbered Panda has\r\ntargeted organizations in time-sensitive operations such as the Fukushima Reactor\r\nIncident of 2011, likely filling intelligence gaps in the ground cleanup/mitigation\r\noperations. Screen saver files, which are binary executables and PDF documents, are\r\ncommon Numbered Panda weaponization tactics. One of the most interesting\r\ntechniques that Numbered Panda likes to use is to dynamically calculate the\r\nCommand and Control (C2) port by resolving a DNS. This effectively helps\r\nNumbered Panda bypass egress filtering implemented to prevent unauthorized\r\ncommunications on some enterprises. The malware will typically use two DNS\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a85ba864-0a13-4337-bd57-8df380b7b4fa\r\nPage 1 of 3\n\nnames for communication: one is used for command and control; the other is used\r\nwith an algorithm to calculate the port to communicate to.\r\nObserved\r\nSectors: Defense, Government, High-Tech, Media, Telecommunications and\r\nElectronics and journalists.\r\nCountries: Germany, Japan, Taiwan, USA and East Asia.\r\nTools used\r\nAUMLIB, ETUMBOT, IHEATE, IXESHE, RapidStealer, THREEBYTE,\r\nWaterSpout.\r\nOperations performed\r\nJul 2009\r\n“IXESHE” campaign\r\nTarget: East Asian governments, Taiwanese electronics manufacturers\r\nand a telecommunications company.\r\n\u003chttp://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf\u003e\r\nMay 2011\r\n“AUMLIB” campaign\r\n\u003chttps://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html\u003e\r\n2011\r\n“ETUMBOT” campaign\r\nTarget: Taiwan\r\nOnce the malicious file was downloaded and extracted by the victim,\r\nEtumbot uses a right-to-left override exploit to trick the victim to\r\ndownload the malware installer. According to Arbor Security, the\r\n“technique is a simple way for malware writers to disguise names of\r\nmalicious files. A hidden Unicode character in the filename will\r\nreverse the order of the characters that follow it, so that a .scr binary\r\nfile appears to be a .xls document, for example.”\r\n\u003chttps://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-\r\nIlluminating-Etumbot-APT.pdf\u003e\r\nOct 2012 Breach of The New York Times\r\n“For the last four months, Chinese hackers have persistently attacked\r\nThe New York Times, infiltrating its computer systems and getting\r\npasswords for its reporters and other employees.”\r\nThe attack occurred after the New York Times published a story about\r\nhow the relatives of Wen Jiabao, the sixth Premier of the State Council\r\nof the People’s Republic of China, “accumulated a fortune worth\r\nseveral billion dollars through business dealings.” The computers used\r\nto launch the attack are believed to be the same university computers\r\nused by the Chinese military to attack United States military\r\ncontractors.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a85ba864-0a13-4337-bd57-8df380b7b4fa\r\nPage 2 of 3\n\nOct 2012\n“RIPTIDE” campaign\nSpear-phishing on Taiwanese Government\nAug 2014\n“HIGHTIDE” campaign\nSpear-phishing on Taiwanese Government\nUses an updated version of ETUMBOT.\nAug 2014\n“THREEBYTE” campaign\nSpear-phishing on Taiwanese Government\nAug 2014\n“WATERSPOUT” campaign\nSpear-phishing on Taiwanese Government\nJan 2016\nIXESHE Derivative IHEATE Targets Users in America\nNov 2016\n“CNACOM” campaign\nOn November 7, we spotted a malicious injection on the registration\npage of a major Taiwanese public service website. An iframe was\ninjected into the footer of the page, which then loaded a unique\nlanding page containing the CVE-2016-0189 exploit code.\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a85ba864-0a13-4337-bd57-8df380b7b4fa\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a85ba864-0a13-4337-bd57-8df380b7b4fa\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a85ba864-0a13-4337-bd57-8df380b7b4fa" ], "report_names": [ "showcard.cgi?u=a85ba864-0a13-4337-bd57-8df380b7b4fa" ], "threat_actors": [ { "id": "c5f79f58-db78-4cd7-88cf-c029a2199360", "created_at": "2022-10-25T16:07:23.325227Z", "updated_at": "2026-04-10T02:00:04.542909Z", "deleted_at": null, "main_name": "APT 12", "aliases": [ "APT 12", "BeeBus", "Bronze Globe", "CTG-8223", "Calc Team", "Crimson Iron", "DNSCalc", "DynCALC", "G0005", "Group 22", "Hexagon Typhoon", "Numbered Panda" ], "source_name": "ETDA:APT 12", "tools": [ "AUMLIB", "ETUMBOT", "Exploz", "Graftor", "HIGHTIDE", "IHEATE", "IXESHE", "RIPTIDE", "RapidStealer", "Specfix", "THREEBYTE", "bbsinfo", "mswab", "yayih" ], "source_id": "ETDA", "reports": null }, { "id": "d18fe42c-8407-4f96-aee0-a04e6dce219a", "created_at": "2023-01-06T13:46:38.275292Z", "updated_at": "2026-04-10T02:00:02.907303Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "Group 22", "Calc Team", "DNSCalc", "IXESHE", "Hexagon Typhoon", "BeeBus", "DynCalc", "Crimson Iron", "BRONZE GLOBE", "NUMBERED PANDA", "TG-2754" ], "source_name": "MISPGALAXY:APT12", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a660ea2-1118-404a-9f8f-f0d6a1e9f184", "created_at": "2022-10-25T15:50:23.685924Z", "updated_at": "2026-04-10T02:00:05.364493Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "APT12", "IXESHE", "DynCalc", "Numbered Panda", "DNSCALC" ], "source_name": "MITRE:APT12", "tools": [ "Ixeshe", "RIPTIDE", "HTRAN" ], "source_id": "MITRE", "reports": null }, { "id": "dc0eb4da-1f8c-4f2a-9530-62b0efbb1c35", "created_at": "2025-08-07T02:03:24.608888Z", "updated_at": "2026-04-10T02:00:03.749632Z", "deleted_at": null, "main_name": "BRONZE GLOBE", "aliases": [ "APT12 ", "CTG-8223 ", "DyncCalc ", "Numbered Panda ", "PortCalc" ], "source_name": "Secureworks:BRONZE GLOBE", "tools": [ "Badpuck", "BeepService", "Etumbot", "Gh0st RAT", "Ixeshe", "Mswab", "RAdmin", "Seatran", "SvcInstaller", "Ziyang" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775438971, "ts_updated_at": 1775792160, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d548f0ca881bd306ce510e1c3a7afdbdd33115f2.pdf", "text": "https://archive.orkl.eu/d548f0ca881bd306ce510e1c3a7afdbdd33115f2.txt", "img": "https://archive.orkl.eu/d548f0ca881bd306ce510e1c3a7afdbdd33115f2.jpg" } }