Nettraveller APT

Type: Nation-State-Sponsored

Status: Active as of July 2016

Other Names: Travnet/ NetFile/ APT 21

Active Since/Discovered: 2004


  • Mongolia, India, Russia, US, and 36 others
  • Total of 350-500 infections detected

Target Sectors:

  • Energy, space exploration, Academia, nanotechnology, nuclear power, lasers, medicine, and communications
  • Government organizations (19%), private companies (11%), diplomatic organizations and embassies (32%), and military organizations (9%)


  • NetTraveler
  • designed for basic surveillance. It logs keystrokes, can steal sensitive documents, and it retrieves files system listing
  • Saker
  • Netbot
  • DarkStRat
  • LURK0 Gh0st
  • PlugX

Preferred Attack Vector:  Spear-phishing Social engineering, watering-hole attacks, 0-day exploits

TTP: CVE-2012-0158