HOMETHREATSAkdoorTea
MALWARE FAMILY

AkdoorTea

Internal ID: win.akdoortea
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

AkdoorTea is a simple TCP RAT.

In August 2025, it was contained in a trojanized Nvidia CUDA toolkit package, delivered probably via the ClickFix technique. The package also contained an obfuscated BeaverTail payload, which suggests its attribution to the Contagious Interview campaigns.

AkdoorTea uses Base64 encryption combined with a single-byte XOR key for network traffic obfuscation.

The RAT supports five commands, one of which is to report its internal version, which is "01.01".

Its name was inspired by the similarity to a TCP RAT, referred to as "Akdoor", that was used in attacks leveraging ActiveX exploits against South Korean targets in April 2018.

Threat Analysis

AkdoorTea is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

External References

Quick Facts

TypeMalware Family
Aliases1

Also Known As

win.akdoortea

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.