SYMBOLCOMMON_NAMEaka. SYNONYMS
win.secondhandtea (Back to overview)

SecondHandTea

Actor(s): Lazarus Group

VTCollection    

SecondHandTea is a full-featured Remote Access Trojan (RAT), closely related to BackbitingTea, the flagship backdoor used in the DangerousPassword campaigns (also known as SnatchCrypto).

Both malware families appear to share a common codebase and are compiled within the same build environment.

While they share most core functionality and supported commands, SecondHandTea differs from BackbitingTea variants in several technical aspects:

- Configuration file paths
- Network libraries: OpenSSL 1.1.0f vs. wolfSSL or Winsock TCP/IP
- Encryption algorithms: AES-256 vs. RC4
- Compression methods: LZ4 vs. ZIP

These differences suggest active development and customization efforts tailored to specific operational needs.

The malware's name was inferred from its internal filename: SecondT_x64.exe.

Between H2 2022 and Q1 2023, SecondHandTea was observed in targeted attacks against entities involved in cryptotrading and blockchain technology, indicating a continued focus on financially motivated cyber operations.

References
2023-10-04Virus BulletinPeter Kálnai
Lazarus Campaigns and Backdoors in 2022-23
SimpleTea POOLRAT 3CX Backdoor BLINDINGCAN CLOUDBURST DRATzarus ForestTiger ImprudentCook LambLoad LightlessCan miniBlindingCan PostNapTea SecondHandTea SnatchCrypto wAgentTea WebbyTea WinInetLoader
2023-01-31WeLiveSecurityESET Research
ESET APT Activity Report T 3 2022
SecondHandTea MirrorFace
Yara Rules
[TLP:WHITE] win_secondhandtea_auto (20260504 | Detects win.secondhandtea.)
rule win_secondhandtea_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.secondhandtea."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.secondhandtea"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c744242001000000 ff15???????? 85c0 0f8489010000 488b4c2460 448d4f04 4c8d442470 }
            // n = 7, score = 100
            //   c744242001000000     | push                esp
            //   ff15????????         |                     
            //   85c0                 | dec                 eax
            //   0f8489010000         | sub                 esp, 0x20
            //   488b4c2460           | dec                 ecx
            //   448d4f04             | mov                 ebp, eax
            //   4c8d442470           | dec                 esp

        $sequence_1 = { 8b45b7 894330 488b45af 4c8965c7 e9???????? c7442420c0000000 ba74000000 }
            // n = 7, score = 100
            //   8b45b7               | mov                 eax, edi
            //   894330               | jmp                 0xb48
            //   488b45af             | inc                 dword ptr [esi + 0x1728]
            //   4c8965c7             | dec                 eax
            //   e9????????           |                     
            //   c7442420c0000000     | cmp                 dword ptr [ebx + 0x170], 0
            //   ba74000000           | dec                 eax

        $sequence_2 = { c3 9b 401400 8c4014 007d40 1400 7440 }
            // n = 7, score = 100
            //   c3                   | push                esi
            //   9b                   | push                edi
            //   401400               | inc                 ecx
            //   8c4014               | push                esp
            //   007d40               | inc                 ecx
            //   1400                 | push                ebp
            //   7440                 | mov                 eax, 0x50

        $sequence_3 = { f20f5e05???????? f2410f1100 c3 660fefc0 33c0 f2480f2a8110100000 f2410f1100 }
            // n = 7, score = 100
            //   f20f5e05????????     |                     
            //   f2410f1100           | inc                 esp
            //   c3                   | mov                 eax, esi
            //   660fefc0             | mov                 edx, 0x6a
            //   33c0                 | dec                 eax
            //   f2480f2a8110100000     | mov    ecx, ebx
            //   f2410f1100           | dec                 eax

        $sequence_4 = { c744242079010000 e8???????? e9???????? babb000000 4c8d0de4480a00 b910000000 448d4289 }
            // n = 7, score = 100
            //   c744242079010000     | dec                 esp
            //   e8????????           |                     
            //   e9????????           |                     
            //   babb000000           | mov                 dword ptr [esp + 0x48], esp
            //   4c8d0de4480a00       | xor                 edi, edi
            //   b910000000           | dec                 eax
            //   448d4289             | mov                 ecx, dword ptr [edi + ebx]

        $sequence_5 = { b830000000 e8???????? 482be0 4533e4 418be8 4c8bf2 488bf9 }
            // n = 7, score = 100
            //   b830000000           | lea                 ecx, [0xd5b50]
            //   e8????????           |                     
            //   482be0               | mov                 dword ptr [esp + 0x20], 0x458
            //   4533e4               | lea                 ecx, [edx - 0x5b]
            //   418be8               | dec                 eax
            //   4c8bf2               | test                ebx, ebx
            //   488bf9               | je                  0x228

        $sequence_6 = { 7438 498bcc e8???????? 85c0 7407 bb2a000000 eb4a }
            // n = 7, score = 100
            //   7438                 | ror                 eax, 0xc
            //   498bcc               | inc                 ecx
            //   e8????????           |                     
            //   85c0                 | add                 eax, eax
            //   7407                 | inc                 esp
            //   bb2a000000           | mov                 dword ptr [esp + 0xc], eax
            //   eb4a                 | inc                 esp

        $sequence_7 = { e8???????? 488d8ba8160000 e8???????? 488bcb e8???????? 488bcb ff15???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488d8ba8160000       | mov                 esi, eax
            //   e8????????           |                     
            //   488bcb               | cmp                 byte ptr [ecx], 0
            //   e8????????           |                     
            //   488bcb               | jne                 0x7f5
            //   ff15????????         |                     

        $sequence_8 = { 8bf0 85c0 0f85b8000000 488b5c2420 4885db 0f8494000000 488b87c8150000 }
            // n = 7, score = 100
            //   8bf0                 | test                eax, eax
            //   85c0                 | je                  0xa72
            //   0f85b8000000         | dec                 esp
            //   488b5c2420           | cmp                 dword ptr [eax + 8], ebp
            //   4885db               | jb                  0xa72
            //   0f8494000000         | dec                 eax
            //   488b87c8150000       | mov                 edx, eax

        $sequence_9 = { e8???????? 488bbe00020000 4883c9ff 33c0 f2ae 48f7d1 48ffc9 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488bbe00020000       | dec                 eax
            //   4883c9ff             | inc                 ebp
            //   33c0                 | dec                 eax
            //   f2ae                 | mov                 eax, dword ptr [esi + 8]
            //   48f7d1               | dec                 eax
            //   48ffc9               | mov                 dword ptr [ecx + 8], eax

    condition:
        7 of them and filesize < 4452352
}
Download all Yara Rules