Lazarus Group's ScoringMathTea RAT

Date: 12/02/2025

Severity: High

Summary

ScoringMathTea is a newly uncovered C++ Remote Access Trojan used by North Korea’s Lazarus Group in a fresh phase of Operation DreamJob, targeting defense contractors supporting Ukraine to steal sensitive UAV technology. The RAT is notable for its extensive runtime evasion methods—such as stack strings, custom polyalphabetic decryption, API hashing, PEB walking, and reflective DLL injection—making it highly difficult to detect and analyze.

Indicators of Compromise (IOC) List

Hash

C39ecc7d9f1e225a37304345731fffe72cdb95b21aeb06aa6022f6d338777012

083d4a4ef6267c9a0ab57f1e5a2ed45ff67a0b4db83bbd43563458a223781120

503b3ece42f540409bcb2f0abc7584e557a0d120b7ba9854b4548496b2546d34

98d1a10521a4dd968d75e2860e523311b5851737795c84943c380870794c851a

f9a9c1a13ed74aebca0652b102755833fc084e221d731b5e7ae76ff136f85864

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Detection Query 1 :

sha256hash IN ("f9a9c1a13ed74aebca0652b102755833fc084e221d731b5e7ae76ff136f85864","083d4a4ef6267c9a0ab57f1e5a2ed45ff67a0b4db83bbd43563458a223781120","C39ecc7d9f1e225a37304345731fffe72cdb95b21aeb06aa6022f6d338777012","503b3ece42f540409bcb2f0abc7584e557a0d120b7ba9854b4548496b2546d34","98d1a10521a4dd968d75e2860e523311b5851737795c84943c380870794c851a")

Reference:

https://blog.polyswarm.io/lazarus-groups-scoringmathtea-rat

Lazarus Group's ScoringMathTea RAT

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

Lazarus Group's ScoringMathTea RAT

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments