{ "id": "85505dc6-1584-487f-9a7e-c408d2c3de5c", "created_at": "2026-04-06T00:06:16.887289Z", "updated_at": "2026-04-10T03:32:34.579853Z", "deleted_at": null, "sha1_hash": "fd2cb0faee209d33862c110200501ef8879a5cde", "title": "NetTraveler, APT 21, Hammer Panda", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 67158, "plain_text": "NetTraveler, APT 21, Hammer Panda\r\nArchived: 2026-04-05 17:56:48 UTC\r\nHome \u003e List all groups \u003e NetTraveler, APT 21, Hammer Panda\r\n APT group: NetTraveler, APT 21, Hammer Panda\r\nNames\r\nNetTraveler (Kaspersky)\r\nAPT 21 (Mandiant)\r\nHammer Panda (CrowdStrike)\r\nTEMP.Zhenbao (FireEye)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2004\r\nDescription\r\n(Kaspersky) Over the last few years, we have been monitoring a cyber-espionage\r\ncampaign that has successfully compromised more than 350 high profile victims in\r\n40 countries. The main tool used by the threat actors during these attacks is\r\nNetTraveler, a malicious program used for covert computer surveillance.\r\nThe name NetTraveler comes from an internal string which is present in early\r\nversions of the malware: NetTraveler Is Running! This malware is used by APT\r\nactors for basic surveillance of their victims. Earliest known samples have a\r\ntimestamp of 2005, although references exist indicating activity as early as 2004.\r\nThe largest number of samples we observed were created between 2010 and 2013.\r\nThe later group RedAlpha has infrastructure overlap with NetTraveler.\r\nObserved\r\nSectors: Defense, Embassies, Government, Oil and gas and Scientific research\r\ncenters and institutes and Tibetan/Uyghur activists.\r\nCountries: Afghanistan, Australia, Austria, Bangladesh, Belarus, Belgium,\r\nCambodia, Canada, Chile, China, Germany, Greece, Hong Kong, India, Indonesia,\r\nIran, Japan, Jordan, Kazakhstan, Kyrgyzstan, Lithuania, Malaysia, Mongolia,\r\nMorocco, Nepal, Pakistan, Qatar, Russia, Slovenia, South Korea, Spain, Suriname,\r\nSyria, Tajikistan, Thailand, Turkey, Turkmenistan, UK, Ukraine, USA, Uzbekistan.\r\nTools used NetTraveler, PlugX.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8650e8c5-55a5-4441-8903-0f2bf5753ef1\r\nPage 1 of 2\n\nOperations performed\nAug 2014\nNetTraveler Gets a Makeover for 10th Anniversary\nMost recently, the main focus of interest for cyber-espionage activities\nrevolved around diplomatic (32%), government (19%), private (11%),\nmilitary (9%), industrial and infrastructure (7%), airspace (6%),\nresearch (4%), activism (3%), financial (3%), IT (3%), health (2%)\nand press (1%).\nDec 2015\nSpear-Phishing Email Targets Diplomat of Uzbekistan\nUnit 42 recently identified a targeted attack against an individual\nworking for the Foreign Ministry of Uzbekistan in China. A spear-phishing email was sent to a diplomat of the Embassy of Uzbekistan\nwho is likely based in Beijing, China.\nInformation\nLast change to this card: 19 April 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8650e8c5-55a5-4441-8903-0f2bf5753ef1\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8650e8c5-55a5-4441-8903-0f2bf5753ef1\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8650e8c5-55a5-4441-8903-0f2bf5753ef1" ], "report_names": [ "showcard.cgi?u=8650e8c5-55a5-4441-8903-0f2bf5753ef1" ], "threat_actors": [ { "id": "808d8d52-ca06-4a5f-a2c1-e7b1ce986680", "created_at": "2022-10-25T16:07:23.899157Z", "updated_at": "2026-04-10T02:00:04.782542Z", "deleted_at": null, "main_name": "NetTraveler", "aliases": [ "APT 21", "Hammer Panda", "NetTraveler", "TEMP.Zhenbao" ], "source_name": "ETDA:NetTraveler", "tools": [ "Agent.dhwf", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "NetTraveler", "Netfile", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "TravNet", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "9381a9dc-8d8e-453a-9fe5-301136ff0f83", "created_at": "2023-01-06T13:46:38.775762Z", "updated_at": "2026-04-10T02:00:03.096032Z", "deleted_at": null, "main_name": "RedAlpha", "aliases": [ "DeepCliff", "Red Dev 3" ], "source_name": "MISPGALAXY:RedAlpha", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cc8271a3-471f-4b8c-9da6-7d50f8ccabaa", "created_at": "2022-10-25T16:07:24.107066Z", "updated_at": "2026-04-10T02:00:04.868213Z", "deleted_at": null, "main_name": "RedAlpha", "aliases": [ "DeepCliff", "Red Dev 3" ], "source_name": "ETDA:RedAlpha", "tools": [ "AngryRebel", "Bladabindi", "FF-RAT", "Farfli", "FormerFirstRAT", "Gh0st RAT", "Ghost RAT", "Jorik", "Moudour", "Mydoor", "NetHelp Infostealer", "NetHelp Striker", "PCRat", "RedAlpha", "ffrat", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "254f2fab-5834-4d90-9205-d80e63d6d867", "created_at": "2023-01-06T13:46:38.31544Z", "updated_at": "2026-04-10T02:00:02.924166Z", "deleted_at": null, "main_name": "APT21", "aliases": [ "HAMMER PANDA", "TEMP.Zhenbao", "NetTraveler" ], "source_name": "MISPGALAXY:APT21", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775433976, "ts_updated_at": 1775791954, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fd2cb0faee209d33862c110200501ef8879a5cde.pdf", "text": "https://archive.orkl.eu/fd2cb0faee209d33862c110200501ef8879a5cde.txt", "img": "https://archive.orkl.eu/fd2cb0faee209d33862c110200501ef8879a5cde.jpg" } }