HOMETHREATSScoringMathTea
APT / THREAT GROUP

ScoringMathTea

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

According to ESET Research, ScoringMathTea is a RAT that offers the attackers full control over the compromised machine. Its first appearance dates to late 2022, when its dropper was uploaded to VirusTotal. Soon after, it was seen in the wild, and since then in multiple attacks attributed to Lazarus’ Operation DreamJob campaigns, which makes it the attacker’s payload of choice for already three years. It uses compromised servers for C&C communication, with the server part usually stored under the WordPress folder containing design templates or plugins.

Threat Analysis

ScoringMathTea is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

win.scoring_math_teaScoringMathTea

External Intelligence

Malpedia: win.scoring_math_tea

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.