APT12 is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.[1]

ID: G0005
Associated Groups: IXESHE, DynCalc, Numbered Panda, DNSCALC
Version: 2.1
Created: 31 May 2017
Last Modified: 30 March 2020

Associated Group Descriptions

Name Description

[1] [2]


[1] [2]

Numbered Panda




Techniques Used

Domain ID Name Use
Enterprise T1568 .003 Dynamic Resolution: DNS Calculation

APT12 has used multiple variants of DNS Calculation including multiplying the first two octets of an IP address and adding the third octet to that value in order to get a resulting command and control port.[1]

Enterprise T1203 Exploitation for Client Execution

APT12 has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities (CVE-2009-3129, CVE-2012-0158) and vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611).[2][3]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT12 has sent emails with malicious Microsoft Office documents and PDFs attached.[2][3]

Enterprise T1204 .002 User Execution: Malicious File

APT12 has attempted to get victims to open malicious Microsoft Word and PDF attachment sent via spearphishing.[2][3]

Enterprise T1102 .002 Web Service: Bidirectional Communication

APT12 has used blogs and WordPress for C2 infrastructure.[1]


ID Name References Techniques
S0040 HTRAN [3] Process Injection, Proxy, Rootkit
S0015 Ixeshe [4][2] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Data from Local System, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Process Discovery, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Service Discovery
S0003 RIPTIDE [2] Application Layer Protocol: Web Protocols, Encrypted Channel: Symmetric Cryptography