HOMETHREATSSimpleTea
MALWARE FAMILY

SimpleTea

Internal ID: elf.simpletea
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

SimpleTea for Linux is an HTTP(S) RAT.

It was discovered in Q1 2023 as an instance of the Lazarus group's Operation DreamJob campaign for Linux. It was a payload downloaded in an execution chain which started with an HSBC-themed job offer lure. It shared the same C&C server as payloads from the 3CX incident around the same time.

It’s an object-oriented project, which does not run on Linux distributions without a graphical user interface, and decrypts its configuration from /home/%user%/.config/apdl.cf using 0x7E as the XOR key. It uses AES-GCM for encryption and decryption of its network traffic.

It supports basic commands that include operations on the victim’s filesystem, manipulation with its configuration, file exfiltration (via ZIP archives), and the download and execution of additional tools from the attacker’s arsenal. The commands are indexed by 16-bit integers, starting with the value 0x27C3.

SimpleTea for Linux seems like an updated version of BadCall for Linux, rewritten from C to C++, as there are similarities in class names and function names between the two.

Threat Analysis

SimpleTea is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

External References

Quick Facts

TypeMalware Family
Aliases1

Also Known As

elf.simpletea

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.