SYMBOLCOMMON_NAMEaka. SYNONYMS
win.scoring_math_tea (Back to overview)

ScoringMathTea

Actor(s): Lazarus Group

According to ESET Research, ScoringMathTea is a RAT that offers the attackers full control over the compromised machine. Its first appearance dates to late 2022, when its dropper was uploaded to VirusTotal. Soon after, it was seen in the wild, and since then in multiple attacks attributed to Lazarus’ Operation DreamJob campaigns, which makes it the attacker’s payload of choice for already three years. It uses compromised servers for C&C communication, with the server part usually stored under the WordPress folder containing design templates or plugins.

References
2025-10-23ESET ResearchAlexis Rapin, Peter Kálnai
Gotta fly: Lazarus targets the UAV sector
QuanPinLoader ScoringMathTea

There is no Yara-Signature yet.