{
	"id": "0286b46b-26c4-4599-b6f0-1bfaeeab3b33",
	"created_at": "2026-04-06T00:19:58.181691Z",
	"updated_at": "2026-04-10T13:12:51.687003Z",
	"deleted_at": null,
	"sha1_hash": "859aa0160d51f6ffa825a3c2cd22a6fcffde6d25",
	"title": "NetTraveler Gets a Makeover for 10th Anniversary",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 65413,
	"plain_text": "NetTraveler Gets a Makeover for 10th Anniversary\r\nBy Kaspersky\r\nPublished: 2014-08-27 · Archived: 2026-04-05 18:36:14 UTC\r\nKaspersky Lab has observed a rise in attacks with an updated version of the “red star” APT backdoor\r\nKaspersky Lab has observed a rise in attacks with an updated version of the “red star” APT backdoor.\r\nIn 2014 the actors behind global cyberespionage campaign “Operation NetTraveler” celebrate ten years of activity.\r\nAlthough the earliest samples appeared to have been compiled in 2005, certain indicators point to 2004 as the year\r\nwhen the malicious activity started. For 10 years, NetTraveler has targeted more than 350 high-profile victims in\r\n40 countries. This year Kaspersky Lab observed an uptick in the number of attacks against Uyghur and Tibetan\r\nsupporters using an updated version of the NetTraveler backdoor with a new encryption scheme. During the\r\ninvestigation, Kaspersky Lab discovered seven C\u0026C servers located in Hong Kong and one – in the USA.\r\nRecent NetTraveler victims by industries\r\nMost recently, the main focus of interest for cyber-espionage activities revolved around diplomatic (32%),\r\ngovernment (19%), private (11%), military (9%), industrial and infrastructure (7%), airspace (6%), research (4%),\r\nactivism (3%), financial (3%), IT (3%), health (2%) and press (1%).\r\nInfection method: a “newer” backdoor\r\nTraditionally for this malicious group, the attacks started with spear-phishing e-mails targeted activists. The e-mail\r\nhad two attachments, a non-malicious JPG file and a Microsoft Word .DOC file appeared to be a container with an\r\nexploit for the CVE-2012-0158 vulnerability for Microsoft Office. Kaspersky Lab determined that this malicious\r\nweb archive file has been created on a system using Microsoft Office - Simplified Chinese.\r\nIf run on a vulnerable version of Microsoft Office, the exploit drops the main module – Trojan-Spy. The malware\r\nconfiguration file has a slightly new format compared to “older” NetTraveler samples. Obviously, the developers\r\nbehind NetTraveler have taken steps to try to hide the malware’s configuration.\r\nAfter the successful injection, NetTraveler exfiltrates common file types such as DOC, XLS, PPT, RTF and PDF.\r\nThe discovered C\u0026C servers\r\nKaspersky Lab identified several command-and-control (C\u0026C) servers. Seven out of eight malicious C\u0026C servers\r\nwere registered by Shanghai Meicheng Technology, and the IPs are located in Hong Kong (Trillion Company,\r\nHongkong Dingfengxinhui Bgp Datacenter, Sun Network Limited and Hung Tai International Holdings), while\r\nthe one was registered by Todaynic.com Inc with IP located in the USA (Integen Inc). Kaspersky Lab’s experts\r\nrecommend blocking all malicious hosts in the firewall.\r\nhttps://www.kaspersky.com/about/press-releases/2014_nettraveler-gets-a-makeover-for-10th-anniversary\r\nPage 1 of 2\n\n“While investigating the NetTraveler attacks, we calculated the amount of stolen data stored on NetTraveler’s\r\nC\u0026C servers to be more than 22 gigabytes. This is an ongoing cyber-espionage campaign and, according to the\r\nlast attacks against the activists, it will probably stay this way perhaps for another ten years. The most\r\nsophisticated threats appeared on surgical table of IT security companies not that long ago, but NetTraveler\r\nexample shows that a disease could persist out of radar for long time”. - says Kurt Baumgartner, Principal\r\nSecurity Researcher at Kaspersky Lab.\r\nRecommendations on how to stay safe from updated NetTraveler malware\r\nBlock the mentioned hosts in your firewall\r\nUpdate Microsoft Windows and Microsoft Office to the latest versions.\r\nBe wary of clicking on links and opening attachments from unknown persons.\r\nUse a secure browser such as Google Chrome, which has a faster development and patching cycle than\r\nMicrosoft's Internet Explorer.\r\nKaspersky Lab’s products detect and neutralize the malicious programs and its variants used by the NetTraveler\r\nToolkit, including Trojan-Dropper.Win32.Agent.lifr, Trojan-Spy.Win32.TravNet, Trojan-Spy.Win32.TravNet.qfr,\r\nTrojan.BAT.Tiny.b and Downloader.Win32.NetTraveler.\r\nKaspersky Lab’s products detect the Microsoft Office exploits used in the spear-phishing attacks, including\r\nExploit.MSWord.CVE-2010-333, Exploit.Win32.CVE-2012-0158, Exploit.MSWord.CVE-2012-0158.db..\r\nTo learn more about the NetTraveler operation, please read the blog post available at Securelist.com.\r\nCyberthreat real-time map\r\nAdditional reading\r\nNetTraveler APT Gets A Makeover For 10th Birthday\r\n\"NetTraveler is Running!\" - Red Star APT Attacks Compromise High-Profile Victims\r\nNetTraveler Is Back: The 'Red Star' APT Returns With New Tricks\r\nSource: https://www.kaspersky.com/about/press-releases/2014_nettraveler-gets-a-makeover-for-10th-anniversary\r\nhttps://www.kaspersky.com/about/press-releases/2014_nettraveler-gets-a-makeover-for-10th-anniversary\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.kaspersky.com/about/press-releases/2014_nettraveler-gets-a-makeover-for-10th-anniversary"
	],
	"report_names": [
		"2014_nettraveler-gets-a-makeover-for-10th-anniversary"
	],
	"threat_actors": [
		{
			"id": "808d8d52-ca06-4a5f-a2c1-e7b1ce986680",
			"created_at": "2022-10-25T16:07:23.899157Z",
			"updated_at": "2026-04-10T02:00:04.782542Z",
			"deleted_at": null,
			"main_name": "NetTraveler",
			"aliases": [
				"APT 21",
				"Hammer Panda",
				"NetTraveler",
				"TEMP.Zhenbao"
			],
			"source_name": "ETDA:NetTraveler",
			"tools": [
				"Agent.dhwf",
				"Destroy RAT",
				"DestroyRAT",
				"Kaba",
				"Korplug",
				"NetTraveler",
				"Netfile",
				"PlugX",
				"RedDelta",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"TravNet",
				"Xamtrav"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "254f2fab-5834-4d90-9205-d80e63d6d867",
			"created_at": "2023-01-06T13:46:38.31544Z",
			"updated_at": "2026-04-10T02:00:02.924166Z",
			"deleted_at": null,
			"main_name": "APT21",
			"aliases": [
				"HAMMER PANDA",
				"TEMP.Zhenbao",
				"NetTraveler"
			],
			"source_name": "MISPGALAXY:APT21",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434798,
	"ts_updated_at": 1775826771,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/859aa0160d51f6ffa825a3c2cd22a6fcffde6d25.pdf",
		"text": "https://archive.orkl.eu/859aa0160d51f6ffa825a3c2cd22a6fcffde6d25.txt",
		"img": "https://archive.orkl.eu/859aa0160d51f6ffa825a3c2cd22a6fcffde6d25.jpg"
	}
}