SecondHandTea
Intelligence Profile
SecondHandTea is a full-featured Remote Access Trojan (RAT), closely related to BackbitingTea, the flagship backdoor used in the DangerousPassword campaigns (also known as SnatchCrypto).
Both malware families appear to share a common codebase and are compiled within the same build environment.
While they share most core functionality and supported commands, SecondHandTea differs from BackbitingTea variants in several technical aspects:
- Configuration file paths
- Network libraries: OpenSSL 1.1.0f vs. wolfSSL or Winsock TCP/IP
- Encryption algorithms: AES-256 vs. RC4
- Compression methods: LZ4 vs. ZIP
These differences suggest active development and customization efforts tailored to specific operational needs.
The malware's name was inferred from its internal filename: SecondT_x64.exe.
Between H2 2022 and Q1 2023, SecondHandTea was observed in targeted attacks against entities involved in cryptotrading and blockchain technology, indicating a continued focus on financially motivated cyber operations.
Threat Analysis
SecondHandTea is a high-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of financial.
Financially motivated threat actors like SecondHandTea prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.
With high sophistication, SecondHandTea is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.