In the decade that NetTraveler toolkit has been active, its targets have remained the same — primarily diplomatic, government and military — but the frequency of attacks has increased against Uyghur and Tibetan supporters, according to a blog post from researchers at Kaspersky Labs.

NetTraveler uses two commonly exploited flaws in Microsoft Word to exfiltrate PDFs, Word documents and other data from infected computers. 

Kaspersky pointed to a recent targeted spearphishing email that had two attachments — a non-malicious JPG file and Word file, the latter of which held an exploit for the CVE-2012-0158 vulnerability.

Because the configuration file in newer iterations is written to SYSTEM folder rather than SYSTEM32 as in earlier versions, researchers noted that NetTraveler's developers obviously “have taken steps to try to hide the malware's configuration.” However, they noted that the encryption used is simple to break.