Nation-State Actor’s Arsenal: An In-Depth Look at Lazarus’ ScoringMathTea
Contents
In October 2025, the ESET Research Team published an excellent article about the identification of a new instance of the Operation DreamJob cyberespionage campaign, conducted by the Lazarus APT Group, aligned with the North Korean government. This instance was identified by ESET as Gotta Fly, as it was determined that Lazarus was directing cyberattacks with an espionage focus to steal know-how related to the production of Unmanned Aerial Vehicles from companies that are providing such technology to Ukraine. In the same article, the ESET Research Team provided information on the identification of two kill chains, both of which implement ScoringMathTea. Below, you can see an image taken from the ESET post, showing the identified execution chains.
ScoringMathTea is a RAT (Remote Access Trojan) in C++, developed and operated by Lazarus, which provides operators with all the necessary capabilities that a good RAT can offer, including remote command execution, loading and execution …
ScoringMathTea is a RAT (Remote Access Trojan) in C++, developed and operated by Lazarus, which provides operators with all the necessary capabilities that a good RAT can offer, including remote command execution, loading and execution …