win.webbytea (Back to overview)


Actor(s): Lazarus Group

WebbyTea is an HTTP(S) downloader that uses AES for C&C trafic encryption.

It sends detailed information about the victim's environment, like proxy settings, system instalation date, Windows product name and version, manufacturer, product name, system boot time, time zone, computer name, user name, current time and a list of currently running processes. Data sent to the C&C server consists of the prefix "ci", a 16-characters long hexadecimal string representing the victim ID and an encrypted data about the victim's system. After the payload is acquired from the server and successfully injected in a newly created explorer.exe process, the malware responds back with the same victim ID having the prefix changed to "cs".

The internal DLL name of the native WebbyTea is usually pe64.dll or webT64.dll (from which its name is derived).

The usual payload associated with WebbyTea is SnatchCrypto.

2023-10-04Virus BulletinPeter Kálnai
@techreport{klnai:20231004:lazarus:9c0141c, author = {Peter Kálnai}, title = {{Lazarus Campaigns and Backdoors in 2022-23}}, date = {2023-10-04}, institution = {Virus Bulletin}, url = {}, language = {English}, urldate = {2023-11-27} } Lazarus Campaigns and Backdoors in 2022-23
3CX Backdoor BLINDINGCAN CLOUDBURST DRATzarus ForestTiger ImprudentCook LambLoad LightlessCan miniBlindingCan PostNapTea SnatchCrypto WebbyTea WinInetLoader
2023-05-22SekoiaJamila B., Kilian Seznec, Charles M.
@online{b:20230522:bluenoroffs:4fd8a5c, author = {Jamila B. and Kilian Seznec and Charles M.}, title = {{Bluenoroff’s RustBucket campaign}}, date = {2023-05-22}, organization = {Sekoia}, url = {}, language = {English}, urldate = {2023-05-30} } Bluenoroff’s RustBucket campaign
RustBucket WebbyTea
2022-01-13Kaspersky LabsSeongsu Park, Vitaly Kamluk
@online{park:20220113:bluenoroff:a3ce5e4, author = {Seongsu Park and Vitaly Kamluk}, title = {{The BlueNoroff cryptocurrency hunt is still on}}, date = {2022-01-13}, organization = {Kaspersky Labs}, url = {}, language = {English}, urldate = {2023-08-10} } The BlueNoroff cryptocurrency hunt is still on
CageyChameleon SnatchCrypto WebbyTea

There is no Yara-Signature yet.