{ "id": "e196095a-dd3d-4d9a-b150-26850cbcbdff", "created_at": "2026-04-06T00:08:39.156904Z", "updated_at": "2026-04-10T03:32:34.59406Z", "deleted_at": null, "sha1_hash": "954abe72265caf8354e5c09eeeb45c01485a0e44", "title": "Kaspersky Lab Uncovers ‘Operation NetTraveler,’ a Global Cyberespionage Campaign Targeting Government-Affiliated Organizations and Research Institutes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 154041, "plain_text": "Kaspersky Lab Uncovers ‘Operation NetTraveler,\r\n’ a Global\r\nCyberespionage Campaign Targeting Government-Affiliated\r\nOrganizations and Research Institutes\r\nBy Kaspersky\r\nPublished: 2013-06-04 · Archived: 2026-04-05 12:35:55 UTC\r\nMalicious NetTraveler Toolkit Infects 350 High-Profile Victims for Data Theft and Surveillance\r\nMalicious NetTraveler Toolkit Infects 350 High-Profile Victims for Data Theft and Surveillance\r\nToday Kaspersky Lab’s team of experts published a new research report about NetTraveler, which is a family of\r\nmalicious programs used by APT actors to successfully compromise more than 350 high-profile victims in 40\r\ncountries. The NetTraveler group has infected victims across multiple establishments in both the public and\r\nprivate sector including government institutions, embassies, the oil and gas industry, research centers, military\r\ncontractors and activists.\r\nAccording to Kaspersky Lab’s report, this threat actor has been active since as early as 2004; however, the highest\r\nvolume of activity occurred from 2010 – 2013. Most recently, the NetTraveler group’s main domains of interest\r\nfor cyberespionage activities include space exploration, nanotechnology, energy production, nuclear power, lasers,\r\nmedicine and communications.\r\nInfection Methods:\r\nAttackers infected victims by sending clever spear-phishing emails with malicious Microsoft Office\r\nattachments that are rigged with two highly exploited vulnerabilities (CVE-2012-0158 and CVE-2010-\r\n3333). Even though Microsoft already issued patches for these vulnerabilities they’re still widely used for\r\nexploitation in targeted attacks and have proven to be effective.\r\nThe titles of the malicious attachments in the spear-phishing emails depict the NetTraveler group’s dogged\r\neffort of customizing their attacks in order to infect high-profile target. Notable titles of malicious\r\ndocuments include:\r\nArmy Cyber Security Policy 2013.doc\r\nReport - Asia Defense Spending Boom.doc\r\nActivity Details.doc\r\nHis Holiness the Dalai Lama’s visit to Switzerland day 4\r\nFreedom of Speech.doc\r\nData Theft \u0026 Exfiltration:\r\nDuring Kaspersky Lab’s analysis, its team of experts obtained infection logs from several of NetTraveler’s\r\ncommand and control servers (C\u0026C). C\u0026C servers are used to install additional malware on infected\r\nhttps://www.kaspersky.com/about/press-releases/2013_kaspersky-lab-uncovers--operation-nettraveler--a-global-cyberespionage-campaign-targeting-government-affiliated-organizations-and-research-institutes\r\nPage 1 of 3\n\nmachines and exfiltrate stolen data. Kaspersky Lab’s experts calculated the amount of stolen data stored on\r\nNetTraveler’s C\u0026C servers to be more than 22 gigabytes.\r\nExfiltrated data from infected machines typically included file system listings, keyloggs, and various types\r\nof files including PDFs, excel sheets, word documents and files. In addition, the NetTraveler toolkit was\r\nable to install additional info-stealing malware as a backdoor, and it could be customized to steal other\r\ntypes of sensitive information such as configuration details for an application or computer-aided design\r\nfiles.\r\nGlobal Infection Statistics:\r\nBased on Kaspersky Lab’s analysis of NetTraveler’s C\u0026C data, there were a total of 350 victims in 40\r\ncountries across including the United States, Canada, United Kingdom, Russia, Chile, Morocco, Greece,\r\nBelgium, Austria, Ukraine, Lithuania, Belarus, Australia, Hong Kong, Japan, China, Mongolia, Iran,\r\nTurkey, India, Pakistan, South Korea, Thailand, Qatar, Kazakhstan, and Jordan.\r\nIn conjunction with the C\u0026C data analysis, Kaspersky Lab’s experts used the Kaspersky Security Network\r\n(KSN) to identify additional infection statistics. The top ten countries with victims detected by KSN were\r\nMongolia followed by Russia, India, Kazakhstan, Kyrgyzstan, China, Tajikistan, South Korea, Spain and\r\nGermany.\r\n \r\nAdditional Findings\r\nDuring Kaspersky Lab’s analysis of NetTraveler, the company’s experts identified six victims that had \r\nbeen infected by both NetTraveler and Red October, which was another cyberespionage operation analyzed\r\nhttps://www.kaspersky.com/about/press-releases/2013_kaspersky-lab-uncovers--operation-nettraveler--a-global-cyberespionage-campaign-targeting-government-affiliated-organizations-and-research-institutes\r\nPage 2 of 3\n\nby Kaspersky Lab in January 2013. Although no direct links between the NetTraveler attackers and the Red\r\nOctober threat actors were observed, the fact that specific victims were infected by both of these campaigns\r\nindicates that these high-profile victims are being targeted by multiple threat actors because their\r\ninformation is a valuable commodity to the attackers.\r\nTo read Kaspersky Lab’s full research analysis, including indicators of compromise, remediation techniques and\r\ndetails of NetTraveler and its malicious components, please visit Securelist.\r\nKaspersky Lab’s products detect and neutralize the malicious programs and its variants used by the NetTraveler\r\nToolkit, including Trojan-Spy.Win32.TravNet and Downloader.Win32.NetTraveler. Kaspersky Lab’s products\r\ndetect the Microsoft Office exploits used in the spear-phishing attacks, including Exploit.MSWord.CVE-2010-\r\n333, Exploit.Win32.CVE-2012-0158.\r\nSource: https://www.kaspersky.com/about/press-releases/2013_kaspersky-lab-uncovers--operation-nettraveler--a-global-cyberespionage-campa\r\nign-targeting-government-affiliated-organizations-and-research-institutes\r\nhttps://www.kaspersky.com/about/press-releases/2013_kaspersky-lab-uncovers--operation-nettraveler--a-global-cyberespionage-campaign-targeting-government-affiliated-organizations-and-research-institutes\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.kaspersky.com/about/press-releases/2013_kaspersky-lab-uncovers--operation-nettraveler--a-global-cyberespionage-campaign-targeting-government-affiliated-organizations-and-research-institutes" ], "report_names": [ "2013_kaspersky-lab-uncovers--operation-nettraveler--a-global-cyberespionage-campaign-targeting-government-affiliated-organizations-and-research-institutes" ], "threat_actors": [ { "id": "808d8d52-ca06-4a5f-a2c1-e7b1ce986680", "created_at": "2022-10-25T16:07:23.899157Z", "updated_at": "2026-04-10T02:00:04.782542Z", "deleted_at": null, "main_name": "NetTraveler", "aliases": [ "APT 21", "Hammer Panda", "NetTraveler", "TEMP.Zhenbao" ], "source_name": "ETDA:NetTraveler", "tools": [ "Agent.dhwf", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "NetTraveler", "Netfile", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "TravNet", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "254f2fab-5834-4d90-9205-d80e63d6d867", "created_at": "2023-01-06T13:46:38.31544Z", "updated_at": "2026-04-10T02:00:02.924166Z", "deleted_at": null, "main_name": "APT21", "aliases": [ "HAMMER PANDA", "TEMP.Zhenbao", "NetTraveler" ], "source_name": "MISPGALAXY:APT21", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434119, "ts_updated_at": 1775791954, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/954abe72265caf8354e5c09eeeb45c01485a0e44.pdf", "text": "https://archive.orkl.eu/954abe72265caf8354e5c09eeeb45c01485a0e44.txt", "img": "https://archive.orkl.eu/954abe72265caf8354e5c09eeeb45c01485a0e44.jpg" } }