Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ScoringMathTea RAT final-stage activity

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

The ScoringMathTea RAT now appears as the final-stage payload in a Lazarus infection chain, giving attackers remote access and C2-driven control over victim systems. The malware maintains communication with command-and-control infrastructure and waits for instructions, which makes the payload an active operator-controlled foothold rather than a passive artifact. The chain also uses trojanized open-source applications or plugins and DLL sideloading to deliver the payload.

Related Happenings

MgBot backdoor delivery and injection via secondary loader

Malware Activity
First: 26.12.2025 16:44 Last: 26.12.2025 16:44 Sources 1

About this happening: The **MgBot** backdoor was delivered through a **secondary loader** and injected into **svchost.exe**, giving operators a stealthy foothold on infected systems. The payload suppor...

Open Happening

Timeline

  1. 23.10.2025 15:38 2 articles · 7mo ago

    ScoringMathTea RAT final-stage foothold in Lazarus Operation DreamJob chain

    Technical Analysis Update

    ESET describes Lazarus’s Operation DreamJob activity against European defense companies tied to UAV technology, where victims launched trojanized open-source applications or plugins and DLL sideloading loaded a decrypted payload into memory before the ScoringMathTea RAT established C2 communication and awaited instructions; an alternate infection chain used BinMergeLoader (MISTPEN) to abuse the Microsoft Graph API and tokens for additional payload retrieval, and the latest ScoringMathTea RAT version supports 40 commands.

    Show sources
    Open in new tab