HOMETHREATSPostNapTea
APT / THREAT GROUP🕵️ ESPIONAGEADVANCED

PostNapTea

3
aliases
Last seen:Mar 17, 2026

Intelligence Profile

PostNapTea aka SIGNBT is an HTTP(S) RAT that is written as a complex object-oriented project.

In 2022-2023, it was deployed against targets like a newspaper organization, agriculture-related entity or a software vendor. The initial access was usually achieved by exploiting vulnerabilities in widely-used software in South Korea.

It collects various information about the victim’s computer, such as computer name, product name, OS details, system uptime, CPU information, system locale, time zone, network status, and malware configuration.

PostNapTea uses AES for encryption and decryption ot network traffic. There is a constant prefix SIGNBT occuring in its HTTP POST requests. The prefix is concatenated with 2 characters that identify the communication stage:

• LG: logging into the C&C server

• KE: acknowledging the succesful login to the C&C

• FI: sending the status of a failed operation

• SR: sending the status of a successful operation

• GC: getting the next command

There are five classes that represent command groups:

• CCButton: for file manipulation and screen capturing

• CCBitmap: for network commands, implementing functionality of Windows commands often abused by attackers, like sc, reg, arp, net, ver, wmic, ping, whoami, netstat, tracert, lookup, ipconfig,

systeminfo, and netsh advfirewall.

• CCComboBox: for file system management

• CCList: for process management

• CCBrush: for control of the malware itself

It stores its configuration in JSON format. It resolves the Windows APIs it requires during runtime, via the Fowler–Noll–Vo (FNV) hash function.

Its internal name in the version-information resource is usually ppcsnap.dll or pconsnap.dll, which loosely inspired its code name.

Threat Analysis

PostNapTea is a advanced-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of espionage.

The group's espionage-oriented operations suggest a state-sponsored or state-aligned mandate, typically focused on stealing intellectual property, government secrets, or military intelligence. Targets are usually selected for strategic value rather than financial gain.

Classified as an advanced threat actor, PostNapTea likely develops or acquires zero-day exploits, employs custom malware toolchains, and demonstrates long-term persistence capabilities — hallmarks of a well-resourced operation consistent with nation-state backing.

External References

Quick Facts

TypeAPT / Threat Group
Motivation🕵️ espionage
Sophisticationadvanced
Aliases3

Also Known As

win.postnapteaSIGNBTPostNapTea

External Intelligence

Malpedia: win.postnaptea

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
PostNapTea — APT / Threat Group | Threat Intelligence | CTIWATCH.COM