Malware
SecondHandTea
SecondHandTea is a full-featured Remote Access Trojan (RAT), closely related to BackbitingTea, the flagship backdoor used in the DangerousPassword campaigns (also known as SnatchCrypto).
SecondHandTea is a Windows malware family operated by Lazarus Group.
Background
SecondHandTea is a fully featured Remote Access Trojan (RAT) with close ties to BackbitingTea, the principal backdoor behind the DangerousPassword campaigns (also tracked as SnatchCrypto). The two families seem to draw on a shared codebase and are produced in the same build environment.
Although they overlap on most core functions and supported commands, SecondHandTea diverges from BackbitingTea variants on several technical points:
- Configuration file paths
- Network libraries: OpenSSL 1.1.0f vs. wolfSSL or Winsock TCP/IP
- Encryption algorithms: AES-256 vs. RC4
- Compression methods: LZ4 vs. ZIP
Such distinctions point to ongoing development and tailoring for particular operational requirements. The family's name was derived from its internal filename, SecondT_x64.exe. Across H2 2022 through Q1 2023, SecondHandTea showed up in targeted operations against cryptotrading and blockchain organizations, reflecting a sustained financially driven motive.
Source: Malpedia (Fraunhofer FKIE).