SYMBOLCOMMON_NAMEaka. SYNONYMS
win.postnaptea (Back to overview)

PostNapTea

aka: SIGNBT

Actor(s): Lazarus Group

VTCollection    

PostNapTea aka SIGNBT is an HTTP(S) RAT that is written as a complex object-oriented project.

In 2022-2023, it was deployed against targets like a newspaper organization, agriculture-related entity or a software vendor. The initial access was usually achieved by exploiting vulnerabilities in widely-used software in South Korea.

It collects various information about the victim’s computer, such as computer name, product name, OS details, system uptime, CPU information, system locale, time zone, network status, and malware configuration.

PostNapTea uses AES for encryption and decryption ot network traffic. There is a constant prefix SIGNBT occuring in its HTTP POST requests. The prefix is concatenated with 2 characters that identify the communication stage:
• LG: logging into the C&C server
• KE: acknowledging the succesful login to the C&C
• FI: sending the status of a failed operation
• SR: sending the status of a successful operation
• GC: getting the next command

There are five classes that represent command groups:
• CCButton: for file manipulation and screen capturing
• CCBitmap: for network commands, implementing functionality of Windows commands often abused by attackers, like sc, reg, arp, net, ver, wmic, ping, whoami, netstat, tracert, lookup, ipconfig,
systeminfo, and netsh advfirewall.
• CCComboBox: for file system management
• CCList: for process management
• CCBrush: for control of the malware itself

It stores its configuration in JSON format. It resolves the Windows APIs it requires during runtime, via the Fowler–Noll–Vo (FNV) hash function.

Its internal name in the version-information resource is usually ppcsnap.dll or pconsnap.dll, which loosely inspired its code name.

References
2025-07-28Wiz.ioMerav Bar
TraderTraitor: Deep Dive
GolangGhost Manuscrypt RN Stealer DRATzarus GolangGhost PostNapTea Volgmer wAgentTea
2025-04-24KasperskySojun Ryu, Vasily Berdnikov
Operation SyncHole: Lazarus APT goes back to the well
Bankshot DRATzarus PostNapTea wAgentTea
2023-10-27KasperskySeongsu Park
A cascade of compromise: unveiling Lazarus’ new campaign
LPEClient PostNapTea
2023-10-04Virus BulletinPeter Kálnai
Lazarus Campaigns and Backdoors in 2022-23
SimpleTea POOLRAT 3CX Backdoor BLINDINGCAN CLOUDBURST DRATzarus ForestTiger ImprudentCook LambLoad LightlessCan miniBlindingCan PostNapTea SecondHandTea SnatchCrypto wAgentTea WebbyTea WinInetLoader
Yara Rules
[TLP:WHITE] win_postnaptea_auto (20260504 | Detects win.postnaptea.)
rule win_postnaptea_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.postnaptea."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.postnaptea"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? eb05 e8???????? 488d5550 488d4df0 e8???????? c1e81f }
            // n = 7, score = 100
            //   e8????????           |                     
            //   eb05                 | nop                 
            //   e8????????           |                     
            //   488d5550             | dec                 eax
            //   488d4df0             | mov                 eax, dword ptr [ebx]
            //   e8????????           |                     
            //   c1e81f               | dec                 eax

        $sequence_1 = { c745c40cf511f5 c745c815f546f5 c745cc0af50df5 c745d004f508f5 c745d40ef51ef5 c745d81ef506f5 c745dc06f500f5 }
            // n = 7, score = 100
            //   c745c40cf511f5       | dec                 eax
            //   c745c815f546f5       | lea                 ecx, [ebp + 0x98]
            //   c745cc0af50df5       | mov                 dword ptr [ebp - 8], 0xf53ef57c
            //   c745d004f508f5       | mov                 dword ptr [ebp - 4], 0xf556f556
            //   c745d40ef51ef5       | dec                 eax
            //   c745d81ef506f5       | mov                 dword ptr [esp + 0x20], edx
            //   c745dc06f500f5       | dec                 esp

        $sequence_2 = { c7459410f511f5 c7459806f505f5 c7459c11f50df5 c745a015f516f5 c745a402f552f5 c745a877f574f5 33c0 }
            // n = 7, score = 100
            //   c7459410f511f5       | call                esi
            //   c7459806f505f5       | inc                 ebp
            //   c7459c11f50df5       | test                ebp, ebp
            //   c745a015f516f5       | je                  0xc7f
            //   c745a402f552f5       | dec                 eax
            //   c745a877f574f5       | mov                 dword ptr [esp + 0x20], eax
            //   33c0                 | inc                 esp

        $sequence_3 = { c7459059f540f5 c745945bf50000 660f1f840000000000 4863c2 488d4c2450 488d0c41 0fb7c2 }
            // n = 7, score = 100
            //   c7459059f540f5       | movdqu              xmmword ptr [ebp - 0x28], xmm0
            //   c745945bf50000       | mov                 dword ptr [ebp - 0x18], 0x333c2220
            //   660f1f840000000000     | mov    dword ptr [ebp - 0x14], 0x383a3d27
            //   4863c2               | nop                 dword ptr [eax]
            //   488d4c2450           | dec                 eax
            //   488d0c41             | mov                 dword ptr [ebx + 0x20], eax
            //   0fb7c2               | dec                 eax

        $sequence_4 = { c785e005000010f552f5 c785e405000015f51df5 c785e805000019f513f5 c785ec05000057f51ef5 c785f005000018f513f5 c785f405000017f519f5 c785f805000019f55ef5 }
            // n = 7, score = 100
            //   c785e005000010f552f5     | mov    dword ptr [eax + 0x2e20], 1
            //   c785e405000015f51df5     | mov    dword ptr [ebp + 0xa0], 0xf51ef502
            //   c785e805000019f513f5     | mov    dword ptr [ebp + 0xa4], 0xf52cf53e
            //   c785ec05000057f51ef5     | mov    dword ptr [ebp + 0xa8], 0xf531f531
            //   c785f005000018f513f5     | dec    eax
            //   c785f405000017f519f5     | mov    ecx, dword ptr [ebp - 0x70]
            //   c785f805000019f55ef5     | call    eax

        $sequence_5 = { 0f871b010000 488bce e8???????? 90 4983fd08 0f8208ffffff 4a8d146d02000000 }
            // n = 7, score = 100
            //   0f871b010000         | dec                 esp
            //   488bce               | lea                 eax, [ebp - 0x51]
            //   e8????????           |                     
            //   90                   | dec                 eax
            //   4983fd08             | lea                 edx, [ebp - 0x39]
            //   0f8208ffffff         | dec                 eax
            //   4a8d146d02000000     | lea                 ecx, [ebp - 9]

        $sequence_6 = { c7851c0b00000ef50bf5 c785200b000017f51ff5 c785240b00005df548f5 c785280b000020f504f5 c7852c0b00004bf539f5 c785300b00001ef50bf5 c785340b000055f50000 }
            // n = 7, score = 100
            //   c7851c0b00000ef50bf5     | mov    eax, dword ptr [ecx]
            //   c785200b000017f51ff5     | call    dword ptr [eax + 0x10]
            //   c785240b00005df548f5     | dec    eax
            //   c785280b000020f504f5     | mov    ecx, dword ptr [ebp + 0x18]
            //   c7852c0b00004bf539f5     | dec    eax
            //   c785300b00001ef50bf5     | test    ecx, ecx
            //   c785340b000055f50000     | je    0x1ff9

        $sequence_7 = { e8???????? 488905???????? 498b4f18 ffd0 48898540010000 488b8dd8000000 488b01 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488905????????       |                     
            //   498b4f18             | lea                 eax, [ebp + 0x11f8]
            //   ffd0                 | mov                 edx, 1
            //   48898540010000       | call                dword ptr [eax + 0x18]
            //   488b8dd8000000       | mov                 dword ptr [esp + 0x30], eax
            //   488b01               | dec                 eax

        $sequence_8 = { e8???????? 8bd6 488d4bd8 e8???????? 33d2 41b808020000 488d8d90050000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bd6                 | shl                 edx, 2
            //   488d4bd8             | dec                 eax
            //   e8????????           |                     
            //   33d2                 | mov                 ecx, esi
            //   41b808020000         | nop                 
            //   488d8d90050000       | cmp                 byte ptr [edi + 0x15], 0

        $sequence_9 = { e9???????? 4883fa10 722d 48ffc2 488b4d80 488bc1 4881fa00100000 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   4883fa10             | dec                 eax
            //   722d                 | lea                 eax, [0x4cabb]
            //   48ffc2               | dec                 eax
            //   488b4d80             | mov                 ebx, ecx
            //   488bc1               | dec                 eax
            //   4881fa00100000       | mov                 dword ptr [edx], eax

    condition:
        7 of them and filesize < 2457600
}
Download all Yara Rules