S0033: NetTraveler

NetTraveler is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013. [1]

EnterpriseS0033MalwareObject v1.1 Modified Nov 17, 2024, 18:04 UTC (UTC+00:00)

NetTraveler matters because ATT&CK records it as Windows malware used in multiple cyber espionage campaigns for basic victim surveillance, with observed sample timestamps dating back to 2005 and most observed samples between 2010 and 2013. For leaders, the practical issue is not the age of the malware alone, but whether the organization can prove it would notice surveillance behaviors such as application-window discovery and keylogging on Windows endpoints.

Executive priority

Treat this as a validation case for endpoint visibility, credential protection, and incident response readiness. Executives should ask whether SOC teams can detect user-surveillance behavior, whether identity risk processes account for credentials potentially captured by keylogging, and whether incident playbooks include rapid containment and credential reset decisions when endpoint surveillance malware is suspected. Because ATT&CK provides no official detection guidance for this object, coverage should be demonstrated with local telemetry and testing rather than assumed.

Technical view

The supplied ATT&CK relationships tie NetTraveler to Application Window Discovery (T1010) and Keylogging (T1056.001), with the malware object platform listed as Windows. SOC and detection teams should validate visibility into Windows endpoint behavior consistent with enumerating open application windows and intercepting user keystrokes. IR teams should treat related alerts as potential credential-access and collection events, not just generic malware events, and should scope affected user accounts and interactive sessions accordingly. ATT&CK also records that TA459 uses this malware, but the supplied data does not justify assuming current activity or local targeting.

Likely telemetry

Windows endpoint detection and response telemetry
Process execution and parent-child process context on affected endpoints
Signals related to enumeration of open application windows
Signals related to keyboard input capture or keylogging behavior
Endpoint file and malware detection events tied to known NetTraveler detections where available

Detection direction

Validate that Windows endpoint controls can observe or alert on application-window discovery behavior rather than only known malware signatures.
Validate keylogging detection logic and response handling, including false-positive review for legitimate accessibility, input, or administrative tools.
Correlate endpoint surveillance behavior with user identity activity, because T1056.001 creates credential-access risk even when no credential dump is observed.
Use the TA459 relationship as threat-intelligence context only; do not convert it into attribution without case-specific evidence.
Document detection gaps clearly, since the ATT&CK object does not provide official detection text.

Mitigation priorities

Prioritize endpoint protection and monitoring coverage on Windows systems that handle sensitive data or privileged access.
Harden credential exposure pathways by limiting privileged interactive use and preparing rapid password/session reset procedures for suspected keylogging cases.
Ensure incident response playbooks treat keylogging as a credential-compromise scenario requiring identity follow-up, not only host cleanup.
Use malware intelligence and endpoint detections as supporting controls, but validate behavioral coverage for T1010 and T1056.001 because signatures alone may not prove resilience.
Maintain evidence of endpoint telemetry and response procedures for audit or compliance discussions where surveillance and credential-access risk are in scope.

Analyst notes and limits

This take is based on the official ATT&CK S0033 NetTraveler malware object, its Kaspersky external reference, and supplied relationships to TA459, Application Window Discovery, and Keylogging. The most decision-useful angle is coverage validation for Windows surveillance and credential-access behaviors.

ATT&CK lists no tactics directly on the malware object and provides no official detection text. The supplied fields do not include indicators, command-and-control details, persistence methods, exploit details, affected sectors, or current exploitation status. Local telemetry, malware analysis, and incident evidence are required before making detection, attribution, or exposure claims.

Official MITRE ATT&CK definition

NetTraveler

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 2 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1010	Application Window Discovery	NetTraveler reports window names along with keylogger information to provide application context.CitationKaspersky NetTraveler
Enterprise	T1056.001	Keylogging Sub-technique	NetTraveler contains a keylogger.CitationKaspersky NetTraveler

Associated objects

Groups, software, and campaigns

G0062: TA459

TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. [1]

Relationship explorer

All related ATT&CK context

uses · Technique T1010: Application Window Discovery Enterprise uses · Technique T1056.001: Keylogging Enterprise uses · Group G0062: TA459 Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: May 31, 2017, 21:32 UTC (UTC+00:00)
Modified: Nov 17, 2024, 18:04 UTC (UTC+00:00)
Raw hash: 1cddde4c90f3ad08...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	Nov 17, 2024, 18:04 UTC (UTC+00:00)	Current bundle	`1cddde4c90f3…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Kaspersky NetTraveler

Kaspersky Lab's Global Research and Analysis Team. (n.d.). The NetTraveler (aka ‘Travnet’). Retrieved November 17, 2024.
Open source URL
[2]
mitre-attack S0033
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use