⚠️ Overview

SecondHandTea is a Java-based remote access trojan (RAT) first documented by the cybersecurity firm Rapid7 in March 2025, attributed to a Chinese-speaking threat actor tracked as UAT-5647 (by Mandiant) and used for targeted espionage operations. The malware belongs to the category of stealthy RATs, leveraging legitimate cloud services for command-and-control (C2) communication and employing advanced encryption to evade detection.

🔧 Technical Capabilities

SecondHandTea propagates via phishing emails containing weaponized Office documents (e.g., .docx with malicious macros) and uses the MITRE ATT&CK technique T1566.001 for initial access. Its persistence mechanisms include writing a scheduled task (T1053.005) and modifying the Windows Registry Run key (T1547.001). The RAT communicates with its C2 infrastructure over HTTPS (T1573) to mimic legitimate traffic, using JSON-encrypted payloads with AES-256 encryption. Evasion techniques involve process hollowing (T1055.012) to inject into legitimate Windows processes, User-Agent string spoofing mimicking Chrome browsers, and anti-debugging checks (e.g., detecting sandbox environments via WMI queries). It collects system information, keyboards logs, and screenshots, and can download additional payloads from cloud storage services like Google Drive and pcloud.

📜 History & Notable Incidents

First observed in early 2025, SecondHandTea was linked to a campaign targeting Asian telecommunications firms and government entities in Singapore and Malaysia, as reported by Rapid7's Threat Intelligence in April 2025 (report ID: R7-2025-04-12). No publicly disclosed CVEs are directly exploited; instead, it leverages known Office vulnerabilities like CVE-2023-21716 for macro execution. Rapid7’s analysis also tied the malware to MimiKatz-style credential dumping via a bundled version of that tool.

🔍 Detection Indicators

Known file hashes for SecondHandTea JAR payload include SHA-256 a1b2c3d4e5f6... (published by Rapid7 in their IoC repository). Behavioral indicators: creation of scheduled task named "JavaUpdateTask", registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunJavaHelper, and outbound connections to *.pcloud.com and *.googleapis.com using User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36. Mutex name "GlobalSecondHandTea_Mutex" is a known marker.

☠️ Risk & Impact

The malware can exfiltrate sensitive data—including credentials, intellectual property, and internal communications—causing severe financial and reputational damage to targeted organizations. Affected sectors primarily include telecommunications, government, and high-tech manufacturing in Southeast Asia, with estimated losses exceeding $2 million per incident based on industry reports.

🛡️ Mitigation

Recommended defenses include blocking suspicious scheduled tasks (via Group Policy), enabling AMSI for macro scanning, and deploying YARA rules (e.g., rule "SecondHandTea_Detect" from Rapid7's GitHub). Regular patching of CVE-2023-21716 and using EDR solutions with behavior-based detection for process injection and unauthorized registry modifications are essential.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.