Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ APT12

🇨🇳APT12

🇨🇳 APT12 is a tracked threat actor in the Clankerusecase corpus. CN-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 5 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0005) ↗
14Use cases
0Articles
5Techniques
0IOCs

About this actor (MITRE)

[APT12](https://attack.mitre.org/groups/G0005) is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.(Citation: Meyers Numbered Panda)

Known aliases

APT12IXESHEDynCalcNumbered PandaDNSCALC

Top techniques

T1102.002 · Bidirectional CommunicationT1203 · Exploitation for Client ExecutionT1204.002 · Malicious File

All other tracked techniques

T1566.001 · Spearphishing AttachmentT1568.003 · DNS Calculation

Detection use cases (14)

APT12 / IXESHE Office-exploit spearphish chain (Equation Editor / Word → script-host child) AI · profile S APT12 DNSCALC / Etumbot dead-drop resolver beacon (web-service C2 from non-browser process) AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Developer interpreter / package-manager process exfiltrating tokens to public code-hosting / worker domains MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Script Interpreter or Package-Install Hook Egress to Free-Tier Edge SaaS Within 5 Minutes of Process Start MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match Abnormal Security: malicious email opened MITRE match Email attachment opened from external sender MITRE match Cisco Secure Firewall - Binary File Type Download MITRE match Cisco Secure Firewall - Blocked Connection MITRE match