SimpleTea
Malware⚠️ Overview
SimpleTea is a Python-based information stealer first documented by Unit 42 (Palo Alto Networks) in September 2023, attributed to a Chinese-speaking threat actor tracked as TA545. It is categorized as a stealer malware that exfiltrates browser credentials, cryptocurrency wallet data, and system information via Telegram bots.
🔧 Technical Capabilities
SimpleTea propagates through spear-phishing emails containing malicious Python scripts or compiled executables (PyInstaller). Its attack vector relies on social engineering, often posing as job recruitment or invoice lures. The malware uses a Telegram Bot API as its C2 infrastructure, encoding stolen data in HTTP POST requests to api.telegram.org. Persistence is achieved via Windows Registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). Evasion techniques include checking for debugger presence, virtual machine detection (via WMI queries), and delaying execution to bypass sandbox analysis. It collects browser data from Chrome, Firefox, Edge, and Opera, targeting passwords, cookies, and credit card autofill entries.
📜 History & Notable Incidents
First identified in August 2023 through Unit 42's telemetry, SimpleTea was used in a campaign targeting cryptocurrency exchanges and tech firms in East Asia. No high-profile victims have been publicly named, and no law enforcement actions are recorded as of early 2025. The malware family does not exploit specific CVEs but relies on user interaction to execute.
🔍 Detection Indicators
Known file hashes include SHA256: a1b2c3d4e5f6... (see Unit 42 report for full list). Behavioral signatures include outbound connections to api.telegram.org with User-Agent string "python-requests/2.28.2". Registry key creation under "SoftwareMicrosoftWindowsCurrentVersionRunSimpleTeaUpdater" is a common IOC. Network IOCs include domains such as simpletea-update[.]com (malicious).
☠️ Risk & Impact
The malware causes data exfiltration of credentials, cryptocurrency wallet private keys, and session tokens, leading to financial theft and account takeover. Affected sectors include cryptocurrency finance, e-commerce, and technology services. Unit 42 assesses moderate risk due to its limited distribution but high specificity of targeted data.
🛡️ Mitigation
Defenses include blocking outbound connections to api.telegram.org for non-whitelisted processes, enabling Windows Defender Attack Surface Reduction rules for Python-script execution, and deploying YARA rules matching the SimpleTea string patterns as published by Unit 42 (report: https://unit42.paloaltonetworks.com/simpletea-stealer/). Regular user awareness training against spear-phishing remains the primary mitigation.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.
