{ "id": "30c173db-5168-4100-9ee2-48e375c27ade", "created_at": "2026-04-06T00:06:41.262652Z", "updated_at": "2026-04-10T03:36:00.615782Z", "deleted_at": null, "sha1_hash": "dfb9d2e921a64e9d9dfd05425078371958be7cc3", "title": "Darwin's Favorite APT Group | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 148837, "plain_text": "Darwin's Favorite APT Group | Mandiant\r\nBy Mandiant\r\nPublished: 2014-09-03 · Archived: 2026-04-05 13:03:17 UTC\r\nWritten by: Ned Moran, Mike Oppenheim\r\nIntroduction\r\nThe attackers referred to as APT12 (also known as IXESHE, DynCalc, and DNSCALC) recently started a new\r\ncampaign targeting organizations in Japan and Taiwan. APT12 is believed to be a cyber espionage group thought\r\nto have links to the Chinese People's Liberation Army. APT12's targets are consistent with larger People's\r\nRepublic of China (PRC) goals. Intrusions and campaigns conducted by this group are in-line with PRC goals and\r\nself-interest in Taiwan. Additionally, the new campaigns we uncovered further highlight the correlation between\r\nAPT groups ceasing and retooling operations after media exposure, as APT12 used the same strategy after\r\ncompromising the New York Times in Oct 2012. Much like Darwin’s theory of biological evolution, APT12 been\r\nforced to evolve and adapt in order to maintain its mission.\r\nThe new campaign marks the first APT12 activity publicly reported since Arbor Networks released their blog\r\n“Illuminating The Etumbot APT Backdoor.” FireEye refers to the Etumbot backdoor as RIPTIDE. Since the\r\nrelease of the Arbor blog post, FireEye has observed APT12 use a modified RIPTIDE backdoor that we call\r\nHIGHTIDE. This is the second time FireEye has discovered APT12 retooling after a public disclosure. As such,\r\nFireEye believes this to be a common theme for this APT group, as APT12 will continue to evolve in an effort to\r\navoid detection and continue its cyber operations.\r\nFireEye researchers also discovered two possibly related campaigns utilizing two other backdoors known as\r\nTHREEBYTE and WATERSPOUT. Both backdoors were dropped from malicious documents built utilizing the\r\n“Tran Duy Linh” exploit kit, which exploited CVE-2012-0158. These documents were also emailed to\r\norganizations in Japan and Taiwan. While APT12 has previously used THREEBYTE, it is unclear if APT12 was\r\nresponsible for the recently discovered campaign utilizing THREEBYTE. Similarly, WATERSPOUT is a newly\r\ndiscovered backdoor and the threat actors behind the campaign have not been positively identified. However, the\r\nWATERSPOUT campaign shared several traits with the RIPTIDE and HIGHTIDE campaign that we have\r\nattributed to APT12.\r\nBackground\r\nFrom October 2012 to May 2014, FireEye observed APT12 utilizing RIPTIDE, a proxy-aware backdoor that\r\ncommunicates via HTTP to a hard-coded command and control (C2) server. RIPTIDE’s first communication with\r\nits C2 server fetches an encryption key, and the RC4 encryption key is used to encrypt all further communication.\r\nhttps://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html\r\nPage 1 of 6\n\nFigure 1: RIPTIDE HTTP GET Request Example\r\nIn June 2014, Arbor Networks published an article describing the RIPTIDE backdoor and its C2 infrastructure in\r\ngreat depth. The blog highlighted that the backdoor was utilized in campaigns from March 2011 till May 2014.\r\nFollowing the release of the article, FireEye observed a distinct change in RIPTIDE’s protocols and strings. We\r\nsuspect this change was a direct result of the Arbor blog post in order to decrease detection of RIPTIDE by\r\nsecurity vendors. The changes to RIPTIDE were significant enough to circumvent existing RIPTIDE detection\r\nrules. FireEye dubbed this new malware family HIGHTIDE.\r\nHIGHTIDE Malware Family\r\nOn Sunday August 24, 2014 we observed a spear phish email sent to a Taiwanese government ministry. Attached\r\nto this email was a malicious Microsoft Word document (MD5: f6fafb7c30b1114befc93f39d0698560) that\r\nexploited CVE-2012-0158. It is worth noting that this email appeared to have been sent from another\r\nTaiwanese Government employee, implying that the email was sent from a valid but compromised account.\r\nFigure 2: APT12 Spearphishing Email\r\nThe exploit document dropped the HIGHTIDE backdoor with the following properties:\r\nMD5 6e59861931fa2796ee107dc27bfdd480\r\nSize 75264 bytes\r\nComplie Time 2014-08-23 08:22:49\r\nImport Hash ead55ef2b18a80c00786c25211981570\r\nThe HIGHTIDE backdoor connected directly to 141.108.2.157. If you compare the HTTP GET request from the\r\nRIPTIDE samples (Figure 1) to the HTTP GET request from the HIGHTIDE samples (Figure 3) you can see the\r\nmalware author changed the following items:\r\nUser Agent\r\nhttps://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html\r\nPage 2 of 6\n\nFormat and structure of the HTTP Uniform Resource Identifier (URI)\r\nFigure 3: HIGHTIDE GET Request Example\r\nSimilar to RIPTIDE campaigns, APT12 infects target systems with HIGHTIDE using a Microsoft Word (.doc)\r\ndocument that exploits CVE-2012-0158. FireEye observed APT12 deliver these exploit documents via phishing\r\nemails in multiple cases. Based on past APT12 activity, we expect the threat group to continue to utilize phishing\r\nas a malware delivery method.\r\nMD5 File Name Exploit\r\n73f493f6a2b0da23a79b50765c164e88 議程最新修正及注意事項.doc\r\nCVE-2012-\r\n0158\r\nf6fafb7c30b1114befc93f39d0698560 0824.1.doc\r\nCVE-2012-\r\n0158\r\neaa6e03d9dae356481215e3a9d2914dc 簡易名冊0全國各警察機關主官至分局長.doc\r\nCVE-2012-\r\n0158\r\n06da4eb2ab6412c0dc7f295920eb61c4 附檔.doc\r\nCVE-2012-\r\n0158\r\n53baedf3765e27fb465057c48387c9b6 103年第3屆通訊錄.doc\r\nCVE-2012-\r\n0158\r\n00a95fb30be2d6271c491545f6c6a707\r\n2014 09 17 Welcome Reception for Bob and\r\nJason_invitation.doc\r\nCVE-2012-\r\n0158\r\n4ab6bf7e6796bb930be2dd0141128d06\r\n產諮會_Y103(2)委員會_從東協新興國家崛起\r\n(0825).doc\r\nCVE-2012-\r\n0158\r\nFigure 4: Identified exploit documents for HIGHTIDE\r\nWhen the file is opened, it drops HIGHTIDE in the form of an executable file onto the infected system.\r\nRIPTIDE and HIGHTIDE differ on several points: executable file location, image base address, the User-Agent\r\nwithin the GET requests, and the format of the URI. The RIPTIDE exploit document drops its executable file into\r\nthe C:\\Documents and Settings\\{user}\\Application Data\\Location folder while the HIGHTIDE exploit document\r\ndrops its executable file into the C:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\ folder. All\r\nhttps://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html\r\nPage 3 of 6\n\nbut one sample that we identified were written to this folder as word.exe. The one outlier was written as\r\nwinword.exe.\r\nResearch into this HIGHTIDE campaign revealed APT12 targeted multiple Taiwanese Government organizations\r\nbetween August 22 and 28.\r\nTHREEBYTE Malware Family\r\nOn Monday August 25, 2014 we observed a different spear phish email sent from lilywang823@gmail.com to a\r\ntechnology company located in Taiwan. This spear phish contained a malicious Word document that exploited\r\nCVE-2012-0158. The MD5 of the exploit document was e009b95ff7b69cbbebc538b2c5728b11.\r\nSimilar to the newly discovered HIGHTIDE samples documented above, this malicious document dropped a\r\nbackdoor to C:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\word.exe. This backdoor had\r\nthe following properties:\r\nMD5 16e627dbe730488b1c3d448bfc9096e2\r\nSize 75776 bytes\r\nComplie Time 2014-08-25 01:22:20\r\nImport Hash dcfaa2650d29ec1bd88e262d11d3236f\r\nThis backdoor sent the following callback traffic to video[.]csmcpr[.]com:\r\nFigure 5: THREEBYTE GET Request Beacon\r\nThe THREEBYTE spear phishing incident (while not yet attributed) shared the following characteristics with the\r\nabove HIGHTIDE campaign attributed to APT12:\r\nThe THREEBYTE backdoor was compiled two days after the HIGHTIDE backdoors.\r\nBoth the THREEBYTE and HIGHTIDE backdoors were used in attacks targeting organizations in Taiwan.\r\nBoth the THREEBYTE and HIGHTIDE backdoors were written to the same filepath of C:\\DOCUMENTS\r\nand SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\word.exe.\r\nAPT12 has previously used the THREEBYTE backdoor.\r\nWATERSPOUT Malware Family\r\nOn August 25, 2014, we observed another round of spear phishing emails targeting a high-technology company in\r\nJapan. Attached to this email was another malicious document that was designed to exploit CVE-2012-0158. This\r\nmalicious Word document had an MD5 of 499bec15ac83f2c8998f03917b63652e and dropped a backdoor to\r\nC:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\word.exe. The backdoor had the following\r\nproperties:\r\nhttps://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html\r\nPage 4 of 6\n\nMD5 f9cfda6062a8ac9e332186a7ec0e706a\r\nSize 49152 bytes\r\nComplie Time 2014-08-25 02:10:11\r\nImport Hash 864cd776c24a3c653fd89899ca32fe0b\r\nThe backdoor connects to a command and control server at icc[.]ignorelist[.]com.\r\nSimilar to RIPTIDE and HIGHTIDE, the WATERSPOUT backdoor is an HTTP-based backdoor that\r\ncommunicates with its C2 server.\r\nGET /\u003cstring\u003e/\u003c5 digit number\u003e/\u003c4 character string\u003e.php?\u003cfirst 3 characters of last string\u003e_id=\u003c43 character st\r\nAccept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR\r\nHost: \u003cC2 Location\u003e\r\nCache-Control: no-cache\r\nFigure 6: Sample GET request for WATERSPOUT backdoor\r\nAlthough there are no current infrastructure ties to link this backdoor to APT12, there are several data points that\r\nshow a possible tie to the same actors:\r\nSame initial delivery method (spear phishing email) with a Microsoft Word Document exploiting CVE-2012-\r\n0158.\r\nAlthough these points do not definitively tie WATERSPOUT to APT12, they do indicate a possible connection\r\nbetween the WATERSPOUT campaign, the THREEBYTE campaign, and the HIGHTIDE campaign attributed to\r\nAPT12.\r\nConclusion\r\nFireEye believes the change from RIPTIDE to HIGHTIDE represents a temporary tool shift to decrease malware\r\ndetection while APT12 developed a completely new malware toolset. These development efforts may have\r\nresulted in the emergence of the WATERSPOUT backdoor.\r\nhttps://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html\r\nPage 5 of 6\n\nFigure 7: Compile dates for all three malware families\r\nAPT12’s adaptations to public disclosures lead FireEye to make several conclusions about this threat group:\r\nThough public disclosures resulted in APT12 adaptations, FireEye observed only a brief pause in APT12 activity\r\nbefore the threat actors returned to normal activity levels. Similarly, the public disclosure of APT12’s intrusion at\r\nthe New York Times also led to only a brief pause in the threat group’s activity and immediate changes in TTPs.\r\nThe pause and retooling by APT12 was covered in the Mandiant 2014 M-Trends report. Currently, APT12\r\ncontinues to target organizations and conduct cyber operations using its new tools. Most recently, FireEye\r\nobserved HIGHTIDE at multiple Taiwan-based organizations and the suspected APT12 WATERSPOUT backdoor\r\nat a Japan-based electronics company. We expect that APT12 will continue their trend and evolve and change its\r\ntactics to stay ahead of network defenders.\r\nNote: IOCs for this campaign can be found here.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html\r\nhttps://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia", "MITRE" ], "references": [ "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" ], "report_names": [ "darwins-favorite-apt-group-2.html" ], "threat_actors": [ { "id": "c5f79f58-db78-4cd7-88cf-c029a2199360", "created_at": "2022-10-25T16:07:23.325227Z", "updated_at": "2026-04-10T02:00:04.542909Z", "deleted_at": null, "main_name": "APT 12", "aliases": [ "APT 12", "BeeBus", "Bronze Globe", "CTG-8223", "Calc Team", "Crimson Iron", "DNSCalc", "DynCALC", "G0005", "Group 22", "Hexagon Typhoon", "Numbered Panda" ], "source_name": "ETDA:APT 12", "tools": [ "AUMLIB", "ETUMBOT", "Exploz", "Graftor", "HIGHTIDE", "IHEATE", "IXESHE", "RIPTIDE", "RapidStealer", "Specfix", "THREEBYTE", "bbsinfo", "mswab", "yayih" ], "source_id": "ETDA", "reports": null }, { "id": "d18fe42c-8407-4f96-aee0-a04e6dce219a", "created_at": "2023-01-06T13:46:38.275292Z", "updated_at": "2026-04-10T02:00:02.907303Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "Group 22", "Calc Team", "DNSCalc", "IXESHE", "Hexagon Typhoon", "BeeBus", "DynCalc", "Crimson Iron", "BRONZE GLOBE", "NUMBERED PANDA", "TG-2754" ], "source_name": "MISPGALAXY:APT12", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a660ea2-1118-404a-9f8f-f0d6a1e9f184", "created_at": "2022-10-25T15:50:23.685924Z", "updated_at": "2026-04-10T02:00:05.364493Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "APT12", "IXESHE", "DynCalc", "Numbered Panda", "DNSCALC" ], "source_name": "MITRE:APT12", "tools": [ "Ixeshe", "RIPTIDE", "HTRAN" ], "source_id": "MITRE", "reports": null }, { "id": "dc0eb4da-1f8c-4f2a-9530-62b0efbb1c35", "created_at": "2025-08-07T02:03:24.608888Z", "updated_at": "2026-04-10T02:00:03.749632Z", "deleted_at": null, "main_name": "BRONZE GLOBE", "aliases": [ "APT12 ", "CTG-8223 ", "DyncCalc ", "Numbered Panda ", "PortCalc" ], "source_name": "Secureworks:BRONZE GLOBE", "tools": [ "Badpuck", "BeepService", "Etumbot", "Gh0st RAT", "Ixeshe", "Mswab", "RAdmin", "Seatran", "SvcInstaller", "Ziyang" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434001, "ts_updated_at": 1775792160, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dfb9d2e921a64e9d9dfd05425078371958be7cc3.pdf", "text": "https://archive.orkl.eu/dfb9d2e921a64e9d9dfd05425078371958be7cc3.txt", "img": "https://archive.orkl.eu/dfb9d2e921a64e9d9dfd05425078371958be7cc3.jpg" } }