Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

ScoringMathTea

ScoringMathTea is a remote access trojan (RAT) associated with the North Korea-aligned Lazarus Group and repeatedly linked to Operation DreamJob. It has been used since at least late 2022 and was publicly documented by Kaspersky in April 2023; Microsoft reported on it in October 2023 under the name ForestTiger. The malware has been observed in espionage-focused campaigns targeting defense and aerospace-related organizations, including European defense companies, UAV/drone-related firms, an Indian technology company, a Polish defense company, a British industrial automation company, and an Italian aerospace company.

In the reported 2025 activity, Lazarus used fake recruiter/job-offer lures and decoy job-description documents, including trojanized PDF readers and other trojanized open-source software delivered via GitHub-hosted projects, to infect victims. Observed trojanized components included MuPDF reader, TightVNC Viewer, Notepad++ plugins, WinMerge plugins, libpcre, DirectX wrapper-based loaders, QuanPinLoader, BinMergeLoader, and a loader with the internal name DroneEXEHijackingLoader.dll. ESET reported that the campaign targeted three European defense-sector companies, including organizations involved in UAV technology and military equipment used in Ukraine, and assessed the likely objective as theft of proprietary information and manufacturing know-how.

ScoringMathTea provides attackers full or interactive control over compromised systems. Reported functionality includes roughly 40 commands covering file and process manipulation, system information collection, TCP/network connectivity, command execution, configuration changes, and downloading/executing additional payloads. Reporting also describes ScoringMathTea as using a reflective plugin loader and additional DLL plug-ins, indicating modular in-memory extension of capabilities. One report notes use of custom polyalphabetic cryptography.

The surrounding intrusion chain used droppers/loaders/downloaders that decrypted stages with AES-128 or ChaCha20 and loaded them in memory via MemoryModule routines; in observed cases, the main ScoringMathTea payload was not present on disk in unencrypted form. Command-and-control communications were reported to use compromised servers, with server-side components often stored in WordPress theme or plugin directories. Published C2 indicators mentioned in the content include coralsunmarine[.]com (23.111.133[.]162), kazitradebd[.]com (104.21.80[.]1), and oldlinewoodwork[.]com (70.32.24[.]131).

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Lazarus

Lazarus Group’s New ScoringMathTea RAT Uses Reflective Plugin Loader and Custom Polyalphabetic Crypto for Espionage

via security online infosecurityonline.info
MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1195.002Compromise Software Supply ChainEvidence1

"trojanizing open-source projects from GitHub... consider these attacks to be a new wave of the Operation DreamJob campaign"

Execution

1 technique
T1574.001DLLEvidence1

"introduction of new libraries designed for DLL proxying"

Stealth

1 technique
T1574.001DLLEvidence1

"introduction of new libraries designed for DLL proxying"

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
security online infoNews
Nov 20, 2025
Lazarus Group’s New ScoringMathTea RAT Uses Reflective Plugin Loader and Custom Polyalphabetic Crypto for Espionage

Remote Access Trojan (RAT) attributed in the content to Lazarus Group, described as using a reflective plugin loader and custom polyalphabetic cryptography to support espionage activity.

Read more
risky biz rssNews
Nov 19, 2025
Risky Bulletin: Microsoft will integrate Sysmon into Windows

ScoringMathTea is a new remote access trojan (RAT) linked to the Lazarus Group, likely used for cyber-espionage.

Read more
the hacker newsNews
Oct 27, 2025
⚡ Weekly Recap: WSUS Exploited, LockBit 5.0 Returns, Telegram Backdoor, F5 Breach Widens

Malware used in Lazarus/Operation Dream Job recruiter-themed phishing to infect targets.

Read more
ctoatncsc substackNews
Oct 25, 2025
CTO at NCSC Summary: week ending October 26th

Malware referenced as deployed in a Lazarus-linked Operation DreamJob wave targeting UAV-related companies, delivered after trojanizing open-source GitHub projects; also associated with DLL proxying tradecraft in the described evolution.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.