Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

AkdoorTea backdoor delivered through Windows batch-script ZIP chain

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

The newly documented AkdoorTea backdoor is being delivered through a Windows batch script, expanding the malware toolkit used against targeted developers. The delivery chain pulls nvidiaRelease.zip and runs a Visual Basic Script inside it, which then launches BeaverTail and AkdoorTea payloads. The broader operation targets developers across Windows, Linux, and macOS, especially those tied to crypto and Web3 projects. That staged delivery and remote-access capability increase the risk of follow-on control and theft.

Related Happenings

WhatsApp-delivered VBS Windows infection campaign

Campaign
First: 01.04.2026 14:49 Last: 01.04.2026 14:49 Sources 1

About this happening: A **new WhatsApp-delivered campaign** is spreading malicious **VBS files** that launch a **multi-stage Windows infection chain**, raising the risk of persistence and remote access...

Open Happening

OpenClaw fake installer GitHub campaign promoted by Bing AI

Campaign
First: 06.03.2026 00:37 Last: 06.03.2026 00:37 Sources 1

About this happening: A **last month** campaign used **fake OpenClaw installers** on **GitHub** and **Bing AI**-promoted search results to push **malware loaders** and **infostealers** to people trying...

Latest development: 09.03.2026 20:31

A malicious npm package named @openclaw-ai/openclawai, uploaded on March 3, 2026, masquerades as an OpenClaw installer and uses a postinstall hook to launch scripts/setup.js, display a fake CLI and iCloud Keychain prompt, and fetch a second-stage payload from trackpipe[.]dev. The chain installs a persistent RAT internally identified as GhostLoader and steals macOS Keychain data, browser credentials, crypto wallets, SSH keys, Apple Notes, iMessage history, Safari history, and Mail data before exfiltrating a tar.gz archive through the C2 server, Telegram Bot API, and GoFile.io.

Open Happening

OAuth-phished ZIP/LNK/PowerShell malware delivery chain

Malware Activity
First: 03.03.2026 11:20 Last: 03.03.2026 11:20 Sources 1

About this happening: **ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...

Open Happening

SloppyLemming BurrowShell and Rust-based keylogger activity

Malware Activity
First: 03.03.2026 08:53 Last: 03.03.2026 08:53 Sources 1

About this happening: **SloppyLemming** deployed **BurrowShell** and a **Rust-based keylogger** through **two attack chains**, expanding its malware toolkit for **backdoor access**, **credential theft*...

Open Happening

Steaelite Windows RAT with FUD and multi-function capabilities

Malware Activity
First: 27.02.2026 12:06 Last: 27.02.2026 12:06 Sources 1

About this happening: The **Steaelite** Windows RAT is being marketed as a **fully undetectable** tool for **Windows 10 and 11**, giving operators browser-based control over infected machines and enabl...

Open Happening

Timeline

  1. 25.09.2025 16:14 2 articles · 8mo ago

    ESET attributes AkdoorTea to Contagious Interview

    Initial Disclosure

    ESET said North Korea-linked actors associated with Contagious Interview were using the previously undocumented backdoor AkdoorTea alongside TsunamiKit and Tropidoor, and that the activity was aimed at software developers on Windows, Linux, and macOS, especially those involved in cryptocurrency and Web3 projects. ESET also noted that NVIDIA-themed driver-update lures had been used in ClickFix-style video-assessment workflows to propagate AkdoorTea.

    Show sources
    Open in new tab