HOMETHREATSJessieConTea
APT / THREAT GROUP

JessieConTea

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

JessieConTea is a remote access trojan that uses HTTP(S) for communication. It supports around 30 commands that include operations on the victim’s filesystem, basic process management, file exfiltration (both plain and zipped), and the download and execution of additional tools from the attacker’s arsenal. The commands are indexed by 32-bit integers, starting with the value 0x60D49D97.

The malware was delivered in-the-wild via trojanized applications like DeFi Wallet or Citrix Workspace.

JessieConTea generates POST parameters with a specific parameter name, jsessid, from which the initial part of its name is derived. Also, it contains a specific RTTI symbol ".?AVCHttpConn@@", which inspired the second part of the name. It uses RC4 for C&C traffic encryption.

Threat Analysis

JessieConTea is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

JessieConTeawin.jessiecontea

External Intelligence

Malpedia: win.jessiecontea

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
JessieConTea — APT / Threat Group | Threat Intelligence | CTIWATCH.COM