The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Lazarus Group's ScoringMathTea RAT

Nov 24, 2025 1:55:16 PM / by The Hivemind

LAZARUSGROUP2025Verticals Targeted: Aerospace, Defense
Regions Targeted: Entities providing UAV technology to Ukraine  
Related Families: None

Executive Summary

In a new phase of Lazarus Group’s long-running Operation DreamJob campaign, dubbed “Gotta Fly,” the North Korean APT deployed a previously undocumented C++ RAT named ScoringMathTea to exfiltrate sensitive unmanned aerial vehicle (UAV) technology from defense contractors supporting Ukraine. ScoringMathTea stands out for its heavy reliance on runtime evasion techniques, including stack strings, custom polyalphabetic string decryption, API hashing, PEB walking, and full reflective DLL injection of additional plugins.

Key Takeaways

  • ScoringMathTea is a modular, in-memory Remote Access Trojan written in C++ that employs multiple layers of obfuscation and dynamic API resolution to frustrate static analysis.
  • Communication with C2 occurs over HTTP/S with spoofed User-Agent, Base64 encoding, TEA/XTEA-CBC encryption, optional compression, and automatic stripping of fake HTML headers returned by the server.
  • The malware implements manual PE mapping and reflective loading of follow-on plugins, using PEB walking to obtain unhooked kernel32.dll pointers and a runtime-built “clean” API table.
  • A custom polyalphabetic substitution cipher with chaining and a unique rolling hash are used for string deobfuscation and API resolution.

What is ScoringMathTea?

In a new phase of Lazarus Group’s long-running Operation DreamJob campaign, dubbed “Gotta Fly,” the North Korean APT deployed a previously undocumented C++ RAT named ScoringMathTea to exfiltrate sensitive unmanned aerial vehicle (UAV) technology from defense contractors supporting Ukraine. ScoringMathTea stands out for its heavy reliance on runtime evasion techniques, including stack strings, custom polyalphabetic string decryption, API hashing, PEB walking, and full reflective DLL injection of additional plugins. 0x0d4y Malware Research and ESET recently reported on ScoringMathTea.

ScoringMathTea arrives as a DLL that immediately spawns a thread from DllMain pointing to its primary routine. Early execution initializes a configuration structure containing a single hard-coded C2 URL, seeds the PRNG with GetTickCount64, and prepares additional empty slots for future C2 addresses. All subsequent Windows API calls are resolved at runtime via a custom hashing routine that iterates over exported function names in loaded modules until the computed hash matches the desired value.

String obfuscation relies on a 64-character substitution alphabet and a propagating key state starting at 11. Each byte is decoded by subtracting the current key state from its position in the alphabet, after which the newly decoded byte is added to the key state for the next iteration, creating a chained polyalphabetic cipher that prevents simple frequency analysis.

Network communication is handled through dynamically resolved WinHttp APIs. The agent beacons every 60 seconds, spoofs a legitimate Edge browser User-Agent, and POSTs pseudo-random payloads designed to evade static network signatures. Responses from the C2 are filtered to discard fake HTML/PHP error pages, then decrypted in-place using a TEA or XTEA in CBC mode with a key and IV extracted from the payload itself. Decompressed commands are finally dispatched for execution.

The most sophisticated capability is the reflective plugin loader. When instructed, ScoringMathTea downloads an additional PE (DLL) from the C2, walks the PEB to locate an unhooked kernel32.dll, builds its own API resolution table, manually maps the plugin sections into memory, performs relocations, fixes imports using the clean table, verifies integrity with an on-the-fly CRC32 implementation, sets proper section protections, and invokes an exported function named “exportfun” to activate the plugin, all without ever touching disk.

This combination of runtime API resolution, chained string decryption, PEB walking for unhooked pointers, and full manual mapping makes ScoringMathTea exceptionally difficult to detect with traditional EDR hooks and highlights Lazarus Group’s continued investment in stealthy, modular espionage tools.

Who is Lazarus Group?

The Lazarus Group, also known as APT38, Hidden Cobra, and Guardians of Peace, is a prolific cyber threat actor closely tied to North Korea. Active since at least 2009, the group has orchestrated some of the most audacious attacks in cybersecurity history, blending espionage, financial theft, and disruption to advance the regime's strategic goals.

Lazarus employs a diverse arsenal of tactics, techniques, and procedures (TTPs) to infiltrate targets. It frequently initiates operations with spear-phishing emails containing malicious attachments or links, often impersonating trusted entities like health officials or job recruiters. Once inside, the group deploys custom backdoors for persistence and command-and-control. It exploits zero-day vulnerabilities, including those in software like Apache Struts 2, and leverages supply-chain compromises by trojanizing legitimate applications, such as open-source tools or cryptocurrency wallets. For lateral movement, Lazarus uses DLL side-loading and proxying to evade detection, while encrypting payloads with AES or RC4 ciphers. Destructive actions involve wiper malware to erase traces and ransomware like WannaCry, which propagates via EternalBlue exploits. The group also conducts watering hole attacks on targeted websites and strategic web compromises to deliver drive-by downloads.

Lazarus targets a broad spectrum of verticals, including financial institutions and cryptocurrency exchanges for monetary heists, defense and aerospace firms for military intelligence, pharmaceuticals for research theft, and critical infrastructure like energy and telecommunications for sabotage. Geographically, it focuses on South Korea and the United States for geopolitical disruption, while extending operations to Europe, Asia, Latin America, and the Middle East to maximize financial gains and evade sanctions.

The group operates under North Korea's Reconnaissance General Bureau (RGB), the regime's primary military intelligence agency, with subunits like Bureau 121 and Lab 110 coordinating cyber warfare. U.S. indictments of RGB-linked hackers, and Treasury sanctions on Lazarus affiliates underscore this state sponsorship.

IOCs

PolySwarm has multiple samples of ScoringMathTea.

 

C39ecc7d9f1e225a37304345731fffe72cdb95b21aeb06aa6022f6d338777012

083d4a4ef6267c9a0ab57f1e5a2ed45ff67a0b4db83bbd43563458a223781120

503b3ece42f540409bcb2f0abc7584e557a0d120b7ba9854b4548496b2546d34

98d1a10521a4dd968d75e2860e523311b5851737795c84943c380870794c851a

f9a9c1a13ed74aebca0652b102755833fc084e221d731b5e7ae76ff136f85864


Click here to view all samples of ScoringMathTea in our PolySwarm portal.

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Reflective DLL Injection, Gotta Fly campaign, Lazarus APT, ScoringMathTea, Operation DreamJob, North Korea Cyberespionage, API Hashing, TEA encryption

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More