Skip to main content
Mallory
Back to threat actors
China2 malware familiesExploits CVEs in the wild

APT12

Also known asAPT12Calc TeamDNS-CalcDNSCALCDynCalcHexagon TyphoonHORDEHYDROGENIXESHENUMBERED PANDARed Anubis

APT12, also known as Numbered Panda, is a China-attributed threat group. Aliases provided in the content include Calc Team, DNSCALC / DNS_Calc, DynCalc, Hexagon Typhoon, Horde, Hydrogen, IXESHE, Numbered Panda, and Red Anubis. The group has targeted media organizations, high-technology companies, and multiple governments. Mandiant internally referred to the group as APT12 in reporting on the intrusion into The New York Times, which it assessed as part of a broader Chinese cyber-espionage campaign against Western media, journalists, corporations, and other organizations. Directly referenced tradecraft includes spearphishing emails with malicious Microsoft Office documents and PDF attachments, attempting to induce victims to open malicious Word and PDF files, and exploitation of multiple client-side vulnerabilities for execution, including Microsoft Office CVE-2009-3129 and CVE-2012-0158, Adobe Reader CVE-2009-4324 and CVE-2009-0927, and Adobe Flash CVE-2011-0609 and CVE-2011-0611. The group has used the RIPTIDE RAT, which communicates over HTTP and uses RC4-encrypted payloads, and has used blogs and WordPress for command-and-control infrastructure. The content also notes APT12 use of HTRAN. In the New York Times intrusion described in the content, investigators found the attackers compromised employee passwords, accessed the personal computers of 53 employees, targeted the email accounts of David Barboza and Jim Yardley, established multiple backdoors, used compromised U.S. university systems as proxies, deployed custom malware, and created software to search for and collect targeted emails and documents. Mandiant stated the intrusion matched activity it tracked as APT12.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

17 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

5 of 15 tactics23 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1566
Phishing
T1566.001×30
Spearphishing Attachment
T1566.002×4
Spearphishing Link
TA0002
Execution
3 techniques
T1059
Command and Scripting Interpreter
T1059.001×2
PowerShell
T1203×3
Exploitation for Client Execution
T1204
User Execution
T1204.001
Malicious Link
T1204.002×12
Malicious File
TA0005
Stealth
2 techniques
T1036
Masquerading
T1036.008
Masquerade File Type
T1564
Hide Artifacts
T1564.006
Run Virtual Instance
TA0007
Discovery
1 technique
T1087
Account Discovery
T1087.002
Domain Account
TA0011
Command and Control
4 techniques
T1090
Proxy
T1102×2
Web Service
T1102.002
Bidirectional Communication
T1102.003
One-Way Communication
T1568
Dynamic Resolution
T1568.003
DNS Calculation
T1573
Encrypted Channel
T1573.001
Symmetric Cryptography
ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
HTRAN…released “HTRAN,” a tool designed to obscure an attacker’s location by rerouting internet traffic through intermediary computers… | Other tools developed within former red hacker circles include HTRAN... Designed to obscure an attacker’s location by rerouting internet traffic through intermediary computers, HTRAN has been used in operations such as Shady RAT in 2011 and by Chinese threat groups including GALLIUM and APT12.1Mar 19, 2026
RIPTIDEAPT12 has used the RIPTIDE RAT, which communicates over HTTP with a payload encrypted with RC4.1Mar 18, 2026
WEAPONIZED

Associated vulnerabilities

7 CVEs this actor has used in observed campaigns. 7 of them exploited in the wild.

CVE-2009-0927Adobe Reader/Acrobat Collab getIcon Stack Buffer OverflowIn the wildEvidence2

...vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611).

CVE-2009-3129Excel FEATHEADER Record Memory Corruption VulnerabilityIn the wildEvidence2

APT12 has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities (CVE-2009-3129, CVE-2012-0158)...

CVE-2009-4324Adobe Reader and Acrobat Doc.media.newPlayer Use-After-Free RCEIn the wildEvidence2

...vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611).

CVE-2011-0609Remote Code Execution in Adobe Flash Player and Authplay.dllIn the wildEvidence2

...vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611).

CVE-2011-0611Adobe Flash Player and Authplay.dll type confusion remote code executionIn the wildEvidence2

...has exploited CVE-2011-0611 in Adobe Flash Player to gain execution on a targeted system.

2 more CVEs tied to this actor tracked in Mallory.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
splunk researchNews
Apr 13, 2026
Detection: Windows Binary Execution from an Archive | Splunk Security Content

Listed as a threat actor associated with the malicious file execution technique detected by this analytic.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows EFI Volume Mount Attempt Via Mountvol | Splunk Security Content

Listed in the detection annotations as a threat actor associated with the installation / pre-OS boot persistence technique context for EFI volume mounting activity.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows Universal Data Link File Creation | Splunk Security Content

Referenced as a threat actor associated with spearphishing attachment activity involving malicious file execution and potential credential capture via UDL files.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows Suspicious QEMU Execution | Splunk Security Content

Listed as a threat actor associated with the observed use of QEMU and the -nographic flag to install a rogue Linux virtual machine for persistence and initial access.

Read more
+56 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping17

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs7

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.