Numbered Panda is an advanced persistent threat (APT) group, known for having multiple monikers, such as APT12, BeeBusBronze, Calc Team, and several other aliases. The group has been attributed to state-sponsored operations originating in China. This group has long been associated with cyber-espionage campaigns targeting sensitive sectors and geopolitical interests. 

Numbered Panda is no newcomer. Under the umbrella of APT12, the group’s documented history dates back to campaigns such as IXESHE and ETUMBOT, which primarily targeted East Asian governments, with a strong focus on Taiwan. A hallmark of their operations is the use of advanced malware designed for prolonged espionage, data exfiltration, and system compromise. 

One of the group’s most notorious activities involved the attack on a popular US newspaper firm, believed to be in retaliation for the publication of a sensitive investigative piece involving Chinese leadership.  

Origin, Targets, and Global Reach

Numbered Panda is widely believed to be a state-sponsored group based in China, with motivations grounded in intelligence gathering, political espionage, and industrial theft. Their focus on high-value sectors and national infrastructure suggests a calculated strategic mission rather than opportunistic cybercrime. 

Numbered Panda’s campaigns span a broad range of sectors and geographies. Their known targets include entities in Germany, Japan, Taiwan, and the United States, particularly within the aerospace and defense, government, telecommunications, technology, and media industries. This widespread targeting pattern suggests a dual purpose: gathering geopolitical intelligence and stealing proprietary technology. 

Malware Arsenal

Numbered Panda maintains a diverse and customized malware toolset, often modifying payloads to suit regional environments and security measures. Their known malware families include: 

• IXESHE – A reconnaissance and control malware family first observed in 2009, capable of listing services, creating remote shells, executing commands, and harvesting user data. Its deployment across East Asia supports APT12’s long-term surveillance efforts. 

• IHEATE – A U.S.-targeted variant of IXESHE with unique command-and-control encryption techniques. The sample “EMC112” suggests compilation on January 12, likely marking a specific campaign timeline. 

• ETUMBOT – A backdoor used to maintain access to and perform data extraction. 

• RapidStealer – A spy trojan that collects and forwards sensitive data without user consent. Typically deployed through phishing campaigns, RapidStealer is stealthy, efficient, and highly damaging. 

• AUMLIB, WaterSpout, and Threebyte – Backdoors used for remote access and persistence. Threebyte is known to exploit the CVE-2012-0158 vulnerability in Microsoft Word documents, while WaterSpout uses HTTP-based C2 channels to evade detection. 

• HTran – A tunneling tool that enables encrypted traffic routing, helping the group conceal communications from network monitoring tools. 

Tactics, Techniques, and Procedures (TTPs)

Numbered Panda employs a variety of advanced tactics to carry out its operations. One of the group’s primary methods of gaining access to target systems involves sending deceptive emails that contain infected Microsoft Word or PDF attachments. These emails are crafted to trick recipients into opening them, allowing malicious software to be installed. 

Once inside a system, the group takes advantage of known weaknesses in commonly used programs like Microsoft Office and Adobe software. They often rely on social engineering techniques to convince users to open harmful files. 

To maintain communication with compromised systems, Numbered Panda disguises its activity on everyday websites such as blogs and content platforms. It also utilizes a unique method involving domain name systems to secretly direct traffic, making it harder for traditional security tools to detect its presence. 

Conclusion

Numbered Panda continues to be one of the most capable and persistent cyber-espionage groups today. It uses advanced tactics to infiltrate high-value networks and evade traditional defenses. Its methods highlight the growing challenge of state-sponsored threats facing both the public and private sectors. 

To mitigate threats like Numbered Panda, organizations must adopt proactive security strategies built on real-time threat intelligence, continuous monitoring, and rapid response. That’s where Cyble steps in! 

Cyble offers a unified platform that integrates threat detection, dark web monitoring, vulnerability management, and AI-driven analytics to help organizations effectively identify, assess, and neutralize risks. With tailored solutions across industries, Cyble empowers teams to transform cyber threats into actionable defense. 

Protect your organization from threats like Numbered Panda. Schedule a DEMO with Cyble today. 

Mitigations and Recommendations 

• Enhance email security by using advanced filters to block phishing emails and malicious attachments. 

• Apply regular software updates to patch known vulnerabilities in Microsoft Office, Adobe products, and other commonly exploited applications. 

• Deploy endpoint detection and response (EDR) tools to monitor suspicious activity and detect malware early. 

• Segment networks to limit the lateral movement of attackers and monitor DNS traffic for unusual patterns. 

• Adopt a Zero Trust model that verifies all users and devices before granting access to critical systems. 

• Conduct frequent security awareness training to help employees identify phishing and social engineering tactics. 

• Maintain encrypted, offline backups of essential systems and data, and test recovery procedures regularly. 

• Leverage threat intelligence platforms like Cyble for real-time insights into emerging threats and indicators of compromise. 

• Monitor the dark web for leaked credentials and early warning signs of targeted attacks. 

MITRE ATT&CK Techniques Associated with Numbered Panda 

• Initial Access (TA0001) – Spearphishing Attachment (T1566.001): The threat actor can send emails with malicious Microsoft Office documents and PDFs attached. 

• Execution (TA0002) – Exploitation for Client Execution (T1203): The threat actor can exploit multiple vulnerabilities for execution, including Microsoft Office, Adobe Reader, and Flash vulnerabilities. 

• Malicious File (T1204.002): The threat actor attempts to get victims to open malicious Microsoft Word and PDF attachments sent via spearphishing. 

• Command and Control (TA0011) – Bidirectional Communication (T1102.002): The threat actor uses blogs and WordPress for C2 infrastructure. 

• DNS Calculation (T1568.003): The threat actor can use multiple variants of DNS Calculation, such as multiplying the first two octets of an IP address and adding the third octet to determine the resulting command and control port.