Cyber Threat Actor: NetTraveller
| Actor Type | Location | Known Incidents |
Nation State
|
China
|
0 incidents |
|---|
Profile
NetTraveller, also known by the aliases Travnet and RedTraveller, is a threat actor that has been observed operating from China since at least the early 2000s. The group is recognized in public reporting as a persistent cyber actor that conducts long‑term operations against a variety of targets, maintaining a consistent set of tools and techniques over many years. Its activity has been documented in multiple security research publications that reference the group by these names and associate it with Chinese‑based infrastructure.
The actor’s observed targeting focuses on government institutions, defense organizations, aerospace companies, telecommunications providers, and non‑governmental groups associated with Tibetan and Uyghur communities. These targets are primarily located in East Asia, South Asia, and Southeast Asia, with notable incidents involving ministries and agencies in India, Tibet‑related organizations, and various Southeast Asian governmental bodies. The group’s operations have repeatedly involved the exfiltration of sensitive documents, communications, and strategic data from these sectors, indicating a pattern of information collection rather than financial gain or disruptive sabotage.
In terms of tactics, NetTraveller frequently gains initial access through spear‑phishing emails that contain malicious Microsoft Office documents exploiting known zero‑day vulnerabilities such as CVE‑2012-0158 and CVE‑2012-0159. Once a foothold is established, the actor deploys a suite of malware families that includes the Gh0st RAT, the PlugX remote access tool, and a custom backdoor referred to as the NetTraveler malware. The group’s tooling style emphasizes modular payloads, legitimate‑looking file names, and the use of trusted software components to evade detection. Attribution assessments in open‑source reporting link NetTraveller to Chinese state‑sponsored espionage efforts, often associating the activity with the APT15 (also known as NICKEL or KE3CHANG) cluster. Representative campaigns include a prolonged intrusion targeting Tibetan exile institutions that resulted in the theft of internal correspondence and policy documents, a series of attacks on Indian defense ministries that compromised classified procurement data, and multiple incursions into Southeast Asian telecommunications firms where call records and network configuration files were exfiltrated. These operations illustrate the actor’s consistent focus on gathering strategic intelligence from high‑value governmental and industrial targets.
