AkdoorTea
Intelligence Profile
AkdoorTea is a simple TCP RAT.
In August 2025, it was contained in a trojanized Nvidia CUDA toolkit package, delivered probably via the ClickFix technique. The package also contained an obfuscated BeaverTail payload, which suggests its attribution to the Contagious Interview campaigns.
AkdoorTea uses Base64 encryption combined with a single-byte XOR key for network traffic obfuscation.
The RAT supports five commands, one of which is to report its internal version, which is "01.01".
Its name was inspired by the similarity to a TCP RAT, referred to as "Akdoor", that was used in attacks leveraging ActiveX exploits against South Korean targets in April 2018.
Threat Analysis
AkdoorTea is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.