HOMETHREATSSecondHandTea
APT / THREAT GROUP💰 FINANCIALHIGH

SecondHandTea

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

SecondHandTea is a full-featured Remote Access Trojan (RAT), closely related to BackbitingTea, the flagship backdoor used in the DangerousPassword campaigns (also known as SnatchCrypto).

Both malware families appear to share a common codebase and are compiled within the same build environment.

While they share most core functionality and supported commands, SecondHandTea differs from BackbitingTea variants in several technical aspects:

- Configuration file paths

- Network libraries: OpenSSL 1.1.0f vs. wolfSSL or Winsock TCP/IP

- Encryption algorithms: AES-256 vs. RC4

- Compression methods: LZ4 vs. ZIP

These differences suggest active development and customization efforts tailored to specific operational needs.

The malware's name was inferred from its internal filename: SecondT_x64.exe.

Between H2 2022 and Q1 2023, SecondHandTea was observed in targeted attacks against entities involved in cryptotrading and blockchain technology, indicating a continued focus on financially motivated cyber operations.

Threat Analysis

SecondHandTea is a high-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of financial.

Financially motivated threat actors like SecondHandTea prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

With high sophistication, SecondHandTea is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.

External References

Quick Facts

TypeAPT / Threat Group
Motivation💰 financial
Sophisticationhigh
Aliases2

Also Known As

win.secondhandteaSecondHandTea

External Intelligence

Malpedia: win.secondhandtea

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.