{
	"id": "044c2b9e-9ae3-4904-b41b-3a3051ecf2ca",
	"created_at": "2026-04-06T00:17:37.293475Z",
	"updated_at": "2026-04-10T03:32:34.613397Z",
	"deleted_at": null,
	"sha1_hash": "aef25918bf6be274004a92a5e1b627e9337c5a14",
	"title": "NetTraveler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 69012,
	"plain_text": "NetTraveler\r\nBy Contributors to Wikimedia projects\r\nPublished: 2017-07-04 · Archived: 2026-04-05 19:27:49 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nNetTraveler or TravNet is spyware that dates from 2004 and that has been actively used at least until 2016,\r\ninfecting hundreds of often high-profile servers in dozens of countries.[1]\r\nThe name of this malware is based on the fact that early versions of it contained the string \"NetTraveler is\r\nRunning!\". It is used by attackers for advanced persistent threats to survey their victims. It can transfer large\r\namounts of private information from systems of victims to C\u0026C servers, functioning as a trojan horse and\r\nbackdoor to these systems.[2][3]\r\nSpear-phishing with Office documents like MS Word documents is used to infect vulnerable systems, targeting the\r\nCVE-2012-0158 and CVE-2010-3333 vulnerabilities.[2] The attackers use news articles that are relevant to their\r\ntargets for their spear fishing.[1]\r\nKaspersky Lab found that certain victims that were infected with NetTraveler were also infected by Red October,\r\nalthough no direct relation with this malware was established. The multiple infections might be accounted for by\r\nthe fact that these were high-profile victims like government agencies, nuclear power installations and embassies\r\nin dozens of countries.[4]\r\nCommand and Control servers that were involved in NetTraveler attacks were located in the United States, Hong\r\nKong and China, which used more than 100 URLs. These C\u0026C servers mostly ran IIS 6/7.\r\nAccording to Kaspersky Lab, NetTraveler is used by a medium-sized threat actor group from China.\r\nThere are several ways to get rid of NetTraveler on an infected system, like with Virus Removal Tools and the\r\nSpyHunter Removal Tool. It is also possible to remove this malware manually.\r\n[3]\r\nSpecially targeted countries included Russia, India, Pakistan, Mongolia, Kyrgyzstan and Kazakhstan.[5]\r\n1. ^ Jump up to: a\r\n \r\nb\r\n \"NetTraveler APT Targets Russian, European Interests\". Proofpoint. July 7, 2016.\r\nArchived from the original on April 23, 2017.\r\n2. ^ Jump up to: a\r\n \r\nb\r\n \"The NetTraveler (a.k.a. 'Travnet')\" (PDF). Kaspersky Lab. Archived (PDF) from the\r\noriginal on November 16, 2017.\r\n3. ^ Jump up to: a\r\n \r\nb\r\n \"How to Remove NetTraveler Completely From Your PC?\". pc-remover.com. {{cite\r\nweb}} : CS1 maint: deprecated archival service (link)\r\n4. ^ Constantin, Lucian. \"Cyberespionage campaign 'NetTraveler' siphoned data from hundreds of high-profile targets\". CSO Online. Retrieved 2018-03-29.\r\nhttps://en.wikipedia.org/wiki/NetTraveler\r\nPage 1 of 2\n\n5. ^ \"Kaspersky Lab Uncovers 'Operation NetTraveler,' a Global Cyberespionage Campaign Targeting\r\nGovernment-Affiliated Organizations and Research Institutes\". kaspersky.com. 26 May 2021.\r\nThe NetTraveler (aka ‘Travnet’) by Global Research and Analysis Team of Kaspersky Lab\r\nSource: https://en.wikipedia.org/wiki/NetTraveler\r\nhttps://en.wikipedia.org/wiki/NetTraveler\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://en.wikipedia.org/wiki/NetTraveler"
	],
	"report_names": [
		"NetTraveler"
	],
	"threat_actors": [
		{
			"id": "808d8d52-ca06-4a5f-a2c1-e7b1ce986680",
			"created_at": "2022-10-25T16:07:23.899157Z",
			"updated_at": "2026-04-10T02:00:04.782542Z",
			"deleted_at": null,
			"main_name": "NetTraveler",
			"aliases": [
				"APT 21",
				"Hammer Panda",
				"NetTraveler",
				"TEMP.Zhenbao"
			],
			"source_name": "ETDA:NetTraveler",
			"tools": [
				"Agent.dhwf",
				"Destroy RAT",
				"DestroyRAT",
				"Kaba",
				"Korplug",
				"NetTraveler",
				"Netfile",
				"PlugX",
				"RedDelta",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"TravNet",
				"Xamtrav"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "254f2fab-5834-4d90-9205-d80e63d6d867",
			"created_at": "2023-01-06T13:46:38.31544Z",
			"updated_at": "2026-04-10T02:00:02.924166Z",
			"deleted_at": null,
			"main_name": "APT21",
			"aliases": [
				"HAMMER PANDA",
				"TEMP.Zhenbao",
				"NetTraveler"
			],
			"source_name": "MISPGALAXY:APT21",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434657,
	"ts_updated_at": 1775791954,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aef25918bf6be274004a92a5e1b627e9337c5a14.pdf",
		"text": "https://archive.orkl.eu/aef25918bf6be274004a92a5e1b627e9337c5a14.txt",
		"img": "https://archive.orkl.eu/aef25918bf6be274004a92a5e1b627e9337c5a14.jpg"
	}
}