G0005: APT12
Analyst context for executives and security teams
APT12 is an ATT&CK-tracked intrusion set, also referenced as IXESHE, DynCalc, Numbered Panda, and DNSCALC, described by MITRE as China-attributed and historically targeting media, high-tech companies, and governments. For defenders, the practical value is not the name alone: the supplied relationships point to a pattern of targeted email-driven access, client-side execution, and command-and-control using DNS/web channels and proxy-aware tooling.
Executive priority
Treat this as a planning reference for targeted-intrusion readiness, especially if the organization has media, technology, government, or adjacent exposure. Leaders should ask whether email security, endpoint visibility, DNS/proxy logging, and incident response playbooks can connect an initial malicious attachment or client exploit to later command-and-control activity. Because MITRE provides no official detection text for the group, coverage should be proven through control validation rather than assumed from threat-name matching.
Technical view
ATT&CK relationships for APT12 include Spearphishing Attachment, Malicious File, Exploitation for Client Execution, Bidirectional Communication, DNS Calculation, and use of RIPTIDE, Ixeshe, and HTRAN. SOC and IR teams should validate visibility across initial access, execution, and C2 rather than relying on a single indicator. The group object itself has no specified platforms or tactics, but related techniques span Linux, macOS, Windows, and ESXi, while related software includes Windows and Linux/Windows tooling.
Likely telemetry
- Email security logs for attachments, sender metadata, delivery, quarantine, and user interaction
- Endpoint telemetry for file creation, document/application launches, child processes, exploit-like crashes, and suspicious execution
- DNS query and response logs, including unusual resolution patterns and calculated or unexpected follow-on connections
- Web proxy, firewall, and network flow records for outbound web-service communication and proxy-like behavior
- EDR/AV detections or malware analysis records referencing RIPTIDE, Ixeshe, HTRAN, or related aliases where available
Detection direction
- Map detections to the related behaviors: malicious attachments, user-opened files, client exploitation, DNS-based C2 calculation, bidirectional web communication, and proxy tooling.
- Correlate email delivery and attachment execution with endpoint process activity and later DNS/proxy traffic; isolated alerts may miss the intrusion chain.
- Tune for false positives around legitimate web services, normal DNS variability, and authorized proxy tools, but require investigation when these appear after suspicious attachment or exploit events.
- Validate whether named malware/tool detections are signature-only or behavior-based; absence of a family name should not be treated as absence of the behavior.
- Review ATT&CK relationship context during threat hunting, since the group object has no official detection guidance and no directly specified platforms.
Mitigation priorities
- Prioritize phishing attachment controls, attachment detonation, and user-reporting workflows for targeted email scenarios.
- Maintain timely patching and exposure management for client applications that process documents, web content, or other user-opened files.
- Enforce least privilege and endpoint hardening to reduce the impact of malicious file execution or client exploit success.
- Strengthen DNS, proxy, and egress controls so unusual outbound C2 patterns can be logged, investigated, and constrained.
- Prepare IR playbooks that join email, endpoint, DNS, and proxy evidence quickly when a suspected targeted intrusion begins with a file or exploit.
Analyst notes and limits
This take is based on ATT&CK G0005 version 2.1 and the supplied relationships to software and techniques. The aliases and references are useful for threat intelligence correlation, but defenders should translate them into behavior-based validation rather than relying only on historical names.
MITRE provides no official detection text, no group-level platforms, and no group-level tactics in the supplied object. The relationship descriptions are partially summarized, and local telemetry, control configuration, and risk context are required before making any statement about organizational exposure or detection coverage.
APT12
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1204.002 | Malicious File Sub-technique | APT12 has attempted to get victims to open malicious Microsoft Word and PDF attachment sent via spearphishing.CitationMoran 2014CitationTrend Micro IXESHE 2012 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | APT12 has used blogs and WordPress for C2 infrastructure.CitationMeyers Numbered Panda |
| Enterprise | T1568.003 | DNS Calculation Sub-technique | APT12 has used multiple variants of DNS Calculation including multiplying the first two octets of an IP address and adding the third octet to that value in order to get a resulting command and control port.CitationMeyers Numbered Panda |
| Enterprise | T1203 | Exploitation for Client Execution | APT12 has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities (CVE-2009-3129, CVE-2012-0158) and vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611).CitationMoran 2014CitationTrend Micro IXESHE 2012 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | APT12 has sent emails with malicious Microsoft Office documents and PDFs attached.CitationMoran 2014CitationTrend Micro IXESHE 2012 |
Groups, software, and campaigns
S0015: Ixeshe
S0003: RIPTIDE
S0040: HTRAN
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | 79013e760380… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Meyers Numbered Panda
Meyers, A. (2013, March 29). Whois Numbered Panda. Retrieved January 14, 2016.
Open source URL -
[2]
APT12
(Citation: Meyers Numbered Panda) (Citation: Moran 2014)
-
[3]
DNSCALC
(Citation: Moran 2014)
-
[4]
DynCalc
(Citation: Meyers Numbered Panda) (Citation: Moran 2014)
-
[5]
IXESHE
(Citation: Meyers Numbered Panda) (Citation: Moran 2014)
-
[6]
Moran 2014
Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014.
Open source URL -
[7]
Numbered Panda
(Citation: Meyers Numbered Panda)
-
[8]
mitre-attack G0005Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.