HOMETHREATSAkdoorTea
APT / THREAT GROUP

AkdoorTea

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

AkdoorTea is a simple TCP RAT.

In August 2025, it was contained in a trojanized Nvidia CUDA toolkit package, delivered probably via the ClickFix technique. The package also contained an obfuscated BeaverTail payload, which suggests its attribution to the Contagious Interview campaigns.

AkdoorTea uses Base64 encryption combined with a single-byte XOR key for network traffic obfuscation.

The RAT supports five commands, one of which is to report its internal version, which is "01.01".

Its name was inspired by the similarity to a TCP RAT, referred to as "Akdoor", that was used in attacks leveraging ActiveX exploits against South Korean targets in April 2018.

Threat Analysis

AkdoorTea is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

win.akdoorteaAkdoorTea

External Intelligence

Malpedia: win.akdoortea

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.