{ "id": "2e7b779d-60df-4f3a-b2f8-a47baf095602", "created_at": "2026-04-06T01:31:30.027247Z", "updated_at": "2026-04-10T03:36:00.582852Z", "deleted_at": null, "sha1_hash": "f2542f40abe18c9a6097f44805ba03325996607a", "title": "Survival of the Fittest: New York Times Attackers Evolve Quickly", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 260721, "plain_text": "Survival of the Fittest: New York Times Attackers Evolve Quickly\r\nBy by Ned Moran, Nart Villeneuve\r\nPublished: 2013-08-12 · Archived: 2026-04-06 01:24:10 UTC\r\nThe attackers behind the breach of the New York Times’ computer network late last year appear to be mounting\r\nfresh assaults that leverage new and improved versions of malware.\r\nThe new campaigns mark the first significant stirrings from the group since it went silent in January in the wake\r\nof a detailed expose of the group and its exploits — and a retooling of what security researchers believe is a\r\nmassive spying operation based in China [1].\r\nThe newest campaign uses updated versions of Aumlib and Ixeshe.\r\nAumlib, which for years has been used in targeted attacks, now encodes certain HTTP communications. FireEye\r\nresearchers spotted the malware when analyzing a recent attempted attack on an organization involved in shaping\r\neconomic policy.\r\nAnd a new version of Ixeshe, which has been in service since 2009 to attack targets in East Asia, uses new\r\nnetwork traffic patterns, possibly to evade traditional network security systems.\r\nThe updates are significant for both of the longstanding malware families; before this year, Aumlib had not\r\nchanged since at least May 2011, and Ixeshe had not evolved since at least December 2011.\r\nBACKGROUND\r\nCybercriminals are constantly evolving and adapting in their attempts to bypass computer network defenses. But,\r\nlarger, more successful threat actors tend to evolve at a slower rate.\r\nAs long as these actors regularly achieve their objective (stealing sensitive data), they are not motivated to update\r\nor rethink their techniques, tactics, or procedures (TTPs). These threat actors’ tactics follow the same principles of\r\nevolution – successful techniques propagate, and unsuccessful ones are abandoned. Attackers do not change their\r\napproach unless an external force or environmental shift compels them to. As the old saying goes: If it ain’t broke,\r\ndon’t fix it.\r\nSo when a larger, successful threat actor changes up tactics, the move always piques our attention. Naturally, our\r\nfirst priority is ensuring that we detect the new or altered TTPs. But we also attempt to figure out why the\r\nadversary changed — what broke? — so that we can predict if and when they will change again in the future.\r\nWe observed an example of this phenomenon around May. About four months after The New York Times\r\npublicized an attack on its network, the attackers behind the intrusion deployed updated versions of their\r\nBackdoor.APT.Aumlib and Backdoor.APT.Ixeshe malware families [2].\r\nhttps://web.archive.org/web/20191224162418/https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html\r\nPage 1 of 4\n\nThe previous versions of Aumlib had not changed since at least May 2011, and Ixeshe had not evolved since at\r\nleast December 2011.\r\nWe cannot say for sure whether the attackers were responding to the scrutiny they received in the wake of the\r\nepisode. But we do know the change was sudden. Akin to turning a battleship, retooling TTPs of large threat\r\nactors is formidable. Such a move requires recoding malware, updating infrastructure, and possibly retraining\r\nworkers on new processes.\r\nThe following sections detail the changes to Backdoor.APT.Aumlib and Backdoor.APT.Ixeshe.\r\nBackdoor.APT.Aumlib\r\nAumlib has been used in targeted attacks for years. Older variants of this malware family generated the following\r\nPOST request:\r\nPOST /bbs/info.asp HTTP/1.1\r\nData sent via this POST request transmitted in clear text in the following structure:\r\n\u003cVICTIM BIOS NAME\u003e|\u003cCAMPAIGN ID\u003e|\u003cVICTIM EXTERNAL IP\u003e|\u003cVICTIM OS\u003e|\r\nA recently observed malware sample (hash value 832f5e01be536da71d5b3f7e41938cfb) appears to be a modified\r\nvariant of Aumlib.\r\nThe sample, which was deployed against an organization involved in shaping economic policy, was downloaded\r\nfrom the following URL:\r\nstatus[.]acmetoy[.]com/DD/myScript.js or status[.]acmetoy[.]com/DD/css.css\r\nThe sample generated the following traffic:\r\nThis output reveals the following changes when compared with earlier variants:\r\nThe POST URI is changed to /bbs/search.asp (as mentioned, earlier Aumlib variants used a POST URI of\r\n/bbs/info.asp.)\r\nThe POST body is now encoded.\r\nAdditional requests from the sample generated the following traffic:\r\nhttps://web.archive.org/web/20191224162418/https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html\r\nPage 2 of 4\n\nThese subtle changes may be enough to circumvent existing IDS signatures designed to detect older variants of\r\nthe Aumlib family.\r\nThe sample 832f5e01be536da71d5b3f7e41938cfb shares code with an older Aumlib variant with the hash\r\ncb3dcde34fd9ff0e19381d99b02f9692. The sample cb3dcde34fd9ff0e19381d99b02f9692 connected to\r\ndocuments[.]myPicture[.]info and www[.]documents[.]myPicture[.]info and as expected generated the a POST\r\nrequest to /bbs/info.asp.\r\nBackdoor.APT.Ixeshe\r\nIxeshe has been used in targeted attacks since 2009, often against entities in East Asia [3]. Although the network\r\ntraffic is encoded with a custom Base64 alphabet, the URI pattern has been largely consistent:\r\n/[ACD] [EW]S[Numbers].jsp?[Base64]\r\nWe analyzed a recent sample that appears to have targeted entities in Taiwan, a target consistent with previous\r\nIxeshe activity.\r\nThis sample (aa873ed803ca800ce92a39d9a683c644) exhibited network traffic that does not match the earlier\r\npattern and therefore may evade existing network traffic signatures designed to detect Ixeshe related infections.\r\nhttps://web.archive.org/web/20191224162418/https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html\r\nPage 3 of 4\n\nThe Base64-encoded data still contains information including the victim’s hostname and IP address but also a\r\n“mark” or “campaign tag/code” that the threat actors use to keep track of their various attacks. The mark for this\r\nparticular attack was [ll65].\r\nCONCLUSION\r\nBased on our observations, the most successful threat actors evolve slowly and deliberately. So when they do\r\nchange, pay close attention.\r\nKnowing how attackers’ strategy is shifting is crucial to detecting and defending against today’s advanced threats.\r\nBut knowing the “why” is equally important. That additional degree of understanding can help organizations\r\nforecast when and how a threat actor might change their behavior — because if you successfully foil their attacks,\r\nthey probably will.\r\nNotes\r\n[1] http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html?\r\npagewanted=all\r\n[2] This actor is known as APT12 by Mandiant\r\n[3] http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf\r\nSource: https://web.archive.org/web/20191224162418/https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-t\r\nimes-attackers-evolve-quickly.html\r\nhttps://web.archive.org/web/20191224162418/https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://web.archive.org/web/20191224162418/https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html" ], "report_names": [ "survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html" ], "threat_actors": [ { "id": "d18fe42c-8407-4f96-aee0-a04e6dce219a", "created_at": "2023-01-06T13:46:38.275292Z", "updated_at": "2026-04-10T02:00:02.907303Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "Group 22", "Calc Team", "DNSCalc", "IXESHE", "Hexagon Typhoon", "BeeBus", "DynCalc", "Crimson Iron", "BRONZE GLOBE", "NUMBERED PANDA", "TG-2754" ], "source_name": "MISPGALAXY:APT12", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a660ea2-1118-404a-9f8f-f0d6a1e9f184", "created_at": "2022-10-25T15:50:23.685924Z", "updated_at": "2026-04-10T02:00:05.364493Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "APT12", "IXESHE", "DynCalc", "Numbered Panda", "DNSCALC" ], "source_name": "MITRE:APT12", "tools": [ "Ixeshe", "RIPTIDE", "HTRAN" ], "source_id": "MITRE", "reports": null }, { "id": "dc0eb4da-1f8c-4f2a-9530-62b0efbb1c35", "created_at": "2025-08-07T02:03:24.608888Z", "updated_at": "2026-04-10T02:00:03.749632Z", "deleted_at": null, "main_name": "BRONZE GLOBE", "aliases": [ "APT12 ", "CTG-8223 ", "DyncCalc ", "Numbered Panda ", "PortCalc" ], "source_name": "Secureworks:BRONZE GLOBE", "tools": [ "Badpuck", "BeepService", "Etumbot", "Gh0st RAT", "Ixeshe", "Mswab", "RAdmin", "Seatran", "SvcInstaller", "Ziyang" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775439090, "ts_updated_at": 1775792160, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f2542f40abe18c9a6097f44805ba03325996607a.pdf", "text": "https://archive.orkl.eu/f2542f40abe18c9a6097f44805ba03325996607a.txt", "img": "https://archive.orkl.eu/f2542f40abe18c9a6097f44805ba03325996607a.jpg" } }