APT / THREAT GROUP
ScoringMathTea
2
aliases
Last seen:Mar 17, 2026
Intelligence Profile
According to ESET Research, ScoringMathTea is a RAT that offers the attackers full control over the compromised machine. Its first appearance dates to late 2022, when its dropper was uploaded to VirusTotal. Soon after, it was seen in the wild, and since then in multiple attacks attributed to Lazarus’ Operation DreamJob campaigns, which makes it the attacker’s payload of choice for already three years. It uses compromised servers for C&C communication, with the server part usually stored under the WordPress folder containing design templates or plugins.
Threat Analysis
ScoringMathTea is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.
External References
Quick Facts
TypeAPT / Threat Group
Aliases2
Also Known As
win.scoring_math_teaScoringMathTea
External Intelligence
Malpedia: win.scoring_math_teaResearch Links
Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.