Skip to content

G0005 APT12

APT12 is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.1

Item Value
ID G0005
Associated Names IXESHE, DynCalc, Numbered Panda, DNSCALC
Version 2.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
DynCalc 1 2
Numbered Panda 1

Techniques Used

Domain ID Name Use
enterprise T1568 Dynamic Resolution -
enterprise T1568.003 DNS Calculation APT12 has used multiple variants of DNS Calculation including multiplying the first two octets of an IP address and adding the third octet to that value in order to get a resulting command and control port.1
enterprise T1203 Exploitation for Client Execution APT12 has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities (CVE-2009-3129, CVE-2012-0158) and vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611).23
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment APT12 has sent emails with malicious Microsoft Office documents and PDFs attached.23
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File APT12 has attempted to get victims to open malicious Microsoft Word and PDF attachment sent via spearphishing.23
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication APT12 has used blogs and WordPress for C2 infrastructure.1


ID Name References Techniques
S0040 HTRAN - Process Injection Proxy Rootkit
S0015 Ixeshe - Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Commonly Used Port Standard Encoding:Data Encoding Data from Local System File and Directory Discovery Hidden Files and Directories:Hide Artifacts File Deletion:Indicator Removal on Host Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Process Discovery System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Service Discovery
S0003 RIPTIDE - Web Protocols:Application Layer Protocol Commonly Used Port Symmetric Cryptography:Encrypted Channel


Back to top