Type: Nation-State-Sponsored

APT9 Status: Believed Inactive

APT9 Other Names: Numbered Panda/ IXESHE/ DYNCALC/ JOY RAT/ Etumbot/ Beebus/ Group 22/ TG-2754/ Calc Team/ DynCalc/ Crimson Iron/ DNSCalc

Active Since/Discovered: 10/2012 – 5/2014

Target Sectors: media outlets, high-tech companies, and government organizations


  • Etumbot
  • Riptide
    • RIPTIDE is a proxy-aware backdoor that communicates via HTTP to a hard-coded command and control (C2) server
  • Hightide
  • ThreeByte, backdoor
  • Waterspout, backdoor
    • all variants of same backdoor, differ to avoid detection
    • enable persist presence and surveillance
  • Mswab
  • Gh0st
  • ShowNews
  • 3001

Preferred Attack Vector:  Spear-phishing


  • binary exes disguised as screensavers and PDFs
  • exploit CVE-2012-0158

Unique: Changes tools after public exposure