Malware
AkdoorTea
AkdoorTea is a simple TCP RAT. In August 2025, it was contained in a trojanized Nvidia CUDA toolkit package, delivered probably via the ClickFix technique.
AkdoorTea is a simple TCP RAT.
In August 2025, it was contained in a trojanized Nvidia CUDA toolkit package, delivered probably via the ClickFix technique. The package also contained an obfuscated BeaverTail payload, which suggests its attribution to the Contagious Interview campaigns.
AkdoorTea uses Base64 encryption combined with a single-byte XOR key for network traffic obfuscation.
The RAT supports five commands, one of which is to report its internal version, which is "01.01".
Its name was inspired by the similarity to a TCP RAT, referred to as "Akdoor", that was used in attacks leveraging ActiveX exploits against South Korean targets in April 2018.
Family metadata imported from Malpedia (Fraunhofer FKIE).