{"id":207,"date":"2026-03-18T04:56:17","date_gmt":"2026-03-18T04:56:17","guid":{"rendered":"https:\/\/escudodigital.uy\/index.php\/2026\/03\/18\/lazarus-targets-the-uav-sector\/"},"modified":"2026-03-18T04:56:17","modified_gmt":"2026-03-18T04:56:17","slug":"lazarus-targets-the-uav-sector","status":"publish","type":"post","link":"https:\/\/escudodigital.uy\/index.php\/2026\/03\/18\/lazarus-targets-the-uav-sector\/","title":{"rendered":"Lazarus targets the UAV sector"},"content":{"rendered":"<div>\n<p>ESET researchers have recently observed a new instance of Operation DreamJob \u2013 a campaign that we track under the umbrella of North Korea-aligned Lazarus \u2013 in which several European companies active in the defense industry were targeted. Some of these are heavily involved in the unmanned aerial vehicle (UAV) sector, suggesting that the operation may be linked to North Korea\u2019s current efforts to scale up its drone program. This blogpost discusses the broader geopolitical implications of the campaign, and provides a high-level overview of the toolset used by the attackers.<\/p>\n<blockquote>\n<p><strong>Key points of this blogpost:<\/strong><\/p>\n<ul>\n<li>Lazarus attacks against companies developing UAV technology align with recently reported developments in the North Korean drone program.<\/li>\n<li>The suspected primary goal of the attackers was likely the theft of proprietary information and manufacturing know-how.<\/li>\n<li>Based on the social-engineering technique used for initial access, trojanizing open-source projects from GitHub, and the deployment of ScoringMathTea, we consider these attacks to be a new wave of the Operation DreamJob campaign.<\/li>\n<li>The group\u2019s most significant evolution is the introduction of new libraries designed for DLL proxying and the selection of new open-source projects to trojanize for improved evasion.<\/li>\n<\/ul>\n<\/blockquote>\n<h2>Profile of Lazarus and its Operation DreamJob<\/h2>\n<p>The Lazarus group (also known as HIDDEN COBRA) is an APT group <a href=\"https:\/\/attack.mitre.org\/groups\/G0032\/\" target=\"_blank\" rel=\"noopener\">linked to North Korea<\/a> that has been active since at least 2009. It is responsible for high-profile incidents such as both the Sony Pictures Entertainment hack and tens-of-millions-of-dollar cyberheists in 2016, the WannaCryptor (aka WannaCry) outbreak in 2017, and a long history of disruptive attacks against South Korean public and critical infrastructure since at least 2011. The diversity, number, and eccentricity in implementation of Lazarus campaigns define this group, as well as that it performs all three pillars of cybercriminal activities: cyberespionage, cybersabotage, and pursuit of financial gain.<\/p>\n<p>Operation DreamJob is a codename for Lazarus campaigns that rely primarily on social engineering, specifically using fake job offers for prestigious or high-profile positions (the \u201cdream job\u201d lure). This name was coined in a 2020 <a href=\"https:\/\/www.clearskysec.com\/operation-dream-job\/\">blogpost<\/a> by <a href=\"https:\/\/www.clearskysec.com\/operation-dream-job\/\" target=\"_blank\" rel=\"noopener\">ClearSky<\/a>, and overlaps with campaigns like <a href=\"https:\/\/securelist.com\/the-lazarus-group-deathnote-campaign\/109490\/\" target=\"_blank\" rel=\"noopener\">DeathNote<\/a> or <a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-north-star-a-job-offer-thats-too-good-to-be-true\/\" target=\"_blank\" rel=\"noopener\">Operation North Star<\/a>. Targets are predominantly in the aerospace and defense sectors, followed by engineering and technology companies and the media and entertainment sector. In these campaigns, the attackers usually deploy trojanized open-source plugins for software like Notepad++ and WinMerge that serve as droppers and loaders, and payloads like <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.imprudentcook\" target=\"_blank\" rel=\"noopener\">ImprudentCook<\/a>, <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.forest_tiger\" target=\"_blank\" rel=\"noopener\">ScoringMathTea<\/a>, <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.blindingcan\" target=\"_blank\" rel=\"noopener\">BlindingCan<\/a>, <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.miniblindingcan\" target=\"_blank\" rel=\"noopener\">miniBlindingCan<\/a>, <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.lightlesscan\" target=\"_blank\" rel=\"noopener\">LightlessCan<\/a> for Windows, and <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/elf.simpletea\" target=\"_blank\" rel=\"noopener\">SimplexTea<\/a> for Linux. The primary goal is cyberespionage, focusing on stealing sensitive data, intellectual property, and proprietary information, and the secondary goal is financial gain.<s\/><\/p>\n<h2>Overview<\/h2>\n<p>Starting in late March 2025, we observed in ESET telemetry cyberattacks reminiscent of Operation DreamJob campaigns. The in-the-wild attacks successively targeted three European companies active in the defense sector. Although their activities are somewhat diverse, these entities can be described as:<\/p>\n<ul>\n<li>a metal engineering company (Southeastern Europe),<\/li>\n<li>a manufacturer of aircraft components (Central Europe), and<\/li>\n<li>a defense company (Central Europe).<\/li>\n<\/ul>\n<p>All cases involved droppers that have the interesting internal DLL name, <span style=\"font-family: courier new, courier, monospace;\">DroneEXEHijackingLoader.dll<\/span>, which led us down the drone segment rabbit hole. Also, initial access was likely achieved via social engineering \u2013 an Operation DreamJob specialty. The dominant theme is a lucrative but faux job offer with a side of malware: the target receives a decoy document with a job description and a trojanized PDF reader to open it.<\/p>\n<p>The main payload deployed to the targets was ScoringMathTea, a RAT that offers the attackers full control over the compromised machine. Its first appearance dates to late 2022, when its dropper was uploaded to VirusTotal. Soon after, it was seen in the wild, and since then in multiple attacks attributed to Lazarus\u2019 Operation DreamJob campaigns, which makes it the attacker\u2019s payload of choice for already three years. It uses compromised servers for C&amp;C communication, with the server part usually stored under the WordPress folder containing design templates or plugins.<\/p>\n<p>In summary, we attribute this activity with a high level of confidence to Lazarus, particularly to its campaigns related to Operation DreamJob, based on the following:<\/p>\n<ul>\n<li>Initial access was obtained by social engineering, convincing the target to execute malware disguised as a job description, in order to succeed in a hiring process.<\/li>\n<li>Trojanizing open-source projects and then crafting their exports to fit the DLL side-loading seems to be an approach specific to Operation DreamJob.<\/li>\n<li>The flagship payload for later stages, <a href=\"https:\/\/www.virusbulletin.com\/uploads\/pdf\/conference\/vb2023\/papers\/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf\" target=\"_blank\" rel=\"noopener\">ScoringMathTea<\/a>, was used in multiple similar attacks in the past.<\/li>\n<li>The targeted sectors, located in Europe, align with the targets of the previous instances of Operation DreamJob (aerospace, defense, engineering).<\/li>\n<\/ul>\n<h2>Geopolitical context<\/h2>\n<p>The three targeted organizations manufacture different types of military equipment (or parts thereof), many of which are currently deployed in Ukraine as a result of European countries\u2019 military assistance. At the time of Operation DreamJob\u2019s observed activity, North Korean soldiers were <a href=\"https:\/\/www.reuters.com\/world\/north-korea-confirms-troop-deployment-russia-first-time-kcna-report-2025-04-27\/\">deployed in Russia<\/a>, reportedly to help Moscow repel Ukraine\u2019s offensive in the Kursk oblast. It is thus possible that Operation DreamJob was interested in collecting sensitive information on some Western-made weapons systems currently employed in the Russia-Ukraine war.<\/p>\n<p>More generally, these entities are involved in the production of types of materiel that North Korea also manufactures domestically, and for which it might be hoping to perfect its own designs and processes. In any case, there is no indication that the targeted companies supply military equipment to the South Korean armed forces \u2013 which could have been another element explaining Operation DreamJob\u2019s interest in these companies. Interestingly, however, at least two of these organizations are clearly involved in the development of UAV technology, with one manufacturing critical drone components and the other reportedly engaged in the design of UAV-related software.<\/p>\n<p>The interest in UAV-related know-how is notable, as it echoes recent media reports indicating that Pyongyang is <a href=\"https:\/\/www.nytimes.com\/2024\/11\/15\/world\/asia\/north-korea-drones.html\" target=\"_blank\" rel=\"noopener\">investing heavily<\/a> in domestic drone manufacturing capabilities. Although this endeavor can be traced back to <a href=\"https:\/\/www.38north.org\/2014\/07\/jbermudez070114\/\" target=\"_blank\" rel=\"noopener\">more than a decade ago<\/a>, many observers posit that North Korea\u2019s recent experience of modern warfare in the Russia-Ukraine war has only <a href=\"https:\/\/www.businessinsider.com\/what-north-korea-learning-fighting-with-russia-against-ukraine-drones-2025-4\" target=\"_blank\" rel=\"noopener\">reinforced<\/a> Pyongyang\u2019s resolution with regard to its drone program. The North Korean regime is now reportedly receiving <a href=\"https:\/\/www.nknews.org\/2025\/06\/russia-is-helping-north-korea-produce-knockoff-iranian-attack-drones-kyiv-says\/\" target=\"_blank\" rel=\"noopener\">assistance from Russia<\/a> to produce its own version of the Iranian-made Shahed suicide drone and is also apparently working on low-cost attack UAVs that could be <a href=\"https:\/\/www.dailynk.com\/english\/untraceable-weapons-north-korea-prepares-export-drones-middle-east-africa\/\" target=\"_blank\" rel=\"noopener\">exported to African or Middle Eastern countries<\/a>.<\/p>\n<h3>Assessing the \u201cdrone connection\u201d<\/h3>\n<p>If one thing is clear, it is that North Korea has relied heavily on reverse engineering and intellectual property theft to develop its domestic UAV capabilities. As <a href=\"https:\/\/www.38north.org\/2025\/09\/current-status-of-north-koreas-drone-program\/\" target=\"_blank\" rel=\"noopener\">recent open-source reports<\/a> illustrate, North Korea\u2019s current flagship reconnaissance drone, the Saetbyol\u20114, looks like a <a href=\"https:\/\/defence-blog.com\/north-korea-reveals-clone-of-u-s-spy-drone\/\" target=\"_blank\" rel=\"noopener\">carbon copy<\/a> of the Northrop Grumman RQ\u20114 Global Hawk, while its multipurpose combat drone, the Saetbyol\u20119, bears a striking resemblance to General Atomics\u2019 MQ\u20119 Reaper. The fact that both designations replicate the number associated with their US equivalent might even be a <a href=\"https:\/\/www.iiss.org\/online-analysis\/military-balance\/2023\/08\/north-korea-plays-an-imitation-game-with-new-uavs\/\" target=\"_blank\" rel=\"noopener\">not-so-subtle nod<\/a> to that effect. Although these aircrafts\u2019 performance may well differ from those of their US counterparts, there is little doubt that the latter served as a strong inspiration for North Korea\u2019s designs.<\/p>\n<p>This is probably where cybercapabilities enter the fray. While other intelligence resources were likely mobilized by Pyongyang to help copy Western UAVs, there are indications that cyberespionage may have played a role. In recent years, multiple <a href=\"https:\/\/www.justice.gov\/archives\/opa\/pr\/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and\" target=\"_blank\" rel=\"noopener\">campaigns<\/a> affecting the aerospace sector (including <a href=\"https:\/\/www.ic3.gov\/CSA\/2024\/240725.pdf\" target=\"_blank\" rel=\"noopener\">UAV technology specifically<\/a>) have been attributed to North Korea-aligned APT groups, with <a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-north-star-a-job-offer-thats-too-good-to-be-true\/\">Operation North Star<\/a><a name=\"_Hlt211247010\"\/> (a campaign presenting some overlap with Operation DreamJob) being one of them. In 2020, ESET researchers documented a similar campaign, which we then named <a href=\"https:\/\/web-assets.esetstatic.com\/wls\/2020\/06\/ESET_Operation_Interception.pdf\" target=\"_blank\" rel=\"noopener\">Operation In(ter)ception<\/a> and later attributed to Lazarus with high confidence. As several groups related to Lazarus have been formally linked to North Korean intelligence services by <a href=\"https:\/\/home.treasury.gov\/news\/press-releases\/sm774\" target=\"_blank\" rel=\"noopener\">US authorities<\/a> and <a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa24-207a\" target=\"_blank\" rel=\"noopener\">others<\/a>, these precedents strongly suggest that cyberespionage is likely one of the tools leveraged by the regime for reverse engineering Western UAVs \u2013 and that groups operating under the broad Lazarus umbrella are taking an active part in this effort.<\/p>\n<p>In this context, we believe that it is likely that Operation DreamJob was \u2013 at least partially \u2013 aimed at stealing proprietary information, and manufacturing know-how, regarding UAVs. The <span style=\"font-family: courier new, courier, monospace;\">Drone<\/span> mention observed in one of the droppers significantly reinforces this hypothesis.<\/p>\n<p>To be clear, we can only hypothesize as to the specific kind of information that Operation DreamJob was after. However, we have found evidence that one of the targeted entities is involved in the production of at least two UAV models that are currently employed in Ukraine, and which North Korea may have encountered on the frontline. This entity is also involved in the supply chain of advanced single-rotor drones (i.e., unmanned helicopters), a type of aircraft that Pyongyang is <a href=\"https:\/\/www.nknews.org\/2024\/01\/kim-jong-un-inspects-agricultural-drones-tractors-at-farm-machine-expo\/\" target=\"_blank\" rel=\"noopener\">actively developing<\/a> but has not proved able to militarize so far. These may be some of the potential motivations behind Operation DreamJob\u2019s observed activities. More generally, as North Korea is reportedly in the process of <a href=\"https:\/\/www.nknews.org\/pro\/new-construction-underway-near-north-korean-aircraft-factories-amid-drone-push\/\" target=\"_blank\" rel=\"noopener\">building a factory<\/a> for mass-producing UAVs, it might also be looking for privileged knowledge regarding UAV-related industrial processes and manufacturing techniques.<\/p>\n<h2>Toolset<\/h2>\n<p>Reports from <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/unc2970-backdoor-trojanized-pdf-reader?hl=en\" target=\"_blank\" rel=\"noopener\">Google\u2019s Mandiant<\/a> in September 2024 and from <a href=\"https:\/\/securelist.com\/lazarus-new-malware\/115059\/\" target=\"_blank\" rel=\"noopener\">Kaspersky<\/a> in December 2024 describe tools used by Lazarus in its Operation DreamJob in 2024. In this section, we mention the tools to which the group shifted in Operation DreamJob in 2025. Based on their position in the execution chain, we distinguish two types of tools: early stages that consist of various droppers, loaders, and downloaders; and the main stages that represent payloads like RATs and complex downloaders that give the attackers sufficient control over the compromised machine.<\/p>\n<p>Besides the in-the-wild cases seen in ESET telemetry, the activity of the attackers also manifested as VirusTotal submissions occurring at the same time. A trojanized MuPDF reader, QuanPinLoader, a loader disguised as a Microsoft DirectInput library (<span style=\"font-family: courier new, courier, monospace;\">dinput.dll<\/span>), and a variant of ScoringMathTea were submitted from Italy in April and June 2025; BinMergeLoader was submitted in August 2025 from Spain.<\/p>\n<h3>Droppers, loaders, and downloaders<\/h3>\n<p>Generally, Lazarus attackers are highly active and deploy their backdoors against multiple targets. This frequent use exposes these tools and allows them to become detected. As a countermeasure, the group\u2019s tools are preceded in the execution chain by a series of droppers, loaders, and simple downloaders. Typically, the loaders used look for the next stage on the file system or in the registry, decrypt it using AES-128 or ChaCha20, and manually load it in memory via the routines implemented in the <a href=\"https:\/\/github.com\/fancycode\/MemoryModule\" target=\"_blank\" rel=\"noopener\">MemoryModule<\/a> library; a dropper is basically a loader but contains the next stage embedded in its body. The main payload, ScoringMathTea in all cases observed, is never present on the disk in unencrypted form. Example execution chains are seen in Figure 1. In some cases, the attackers also deployed a complex downloader that we call BinMergeLoader, which is similar to the MISTPEN malware reported by <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/unc2970-backdoor-trojanized-pdf-reader?hl=en\" target=\"_blank\" rel=\"noopener\">Google\u2019s Mandiant<\/a>. BinMergeLoader leverages the Microsoft Graph API and uses Microsoft API tokens for authentication.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 1. Examples of 2025 Operation DreamJob execution chains delivering BinMergeLoader and ScoringMathTea\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/10-25\/lazarus-targets-uav-sector\/figure-1.png\" alt=\"Figure 1. Examples of 2025 Operation DreamJob execution chains\" width=\"\" height=\"\"\/><figcaption><em>Figure 1. Examples of 2025 Operation DreamJob execution chains delivering BinMergeLoader and ScoringMathTea<\/em><\/figcaption><\/figure>\n<p>The attackers decided to incorporate their malicious loading routines into open-source projects available on GitHub. The choice of project varies from one attack to another. In 2025, we observed the following malware:<\/p>\n<ul>\n<li>Trojanized TightVNC Viewer and MuPDF reader that serve as downloaders.<\/li>\n<li>A trojanized end-of-life <a href=\"https:\/\/github.com\/nektro\/pcre-8.45\" target=\"_blank\" rel=\"noopener\">libpcre v8.45<\/a> library for Windows, serving as a loader.<\/li>\n<li>A loader that has the Mandarin Chinese symbol \u6837 (y\u00e0ng in the Pinyin transliteration) as an icon in the resources. It also contains the string <span style=\"font-family: courier new, courier, monospace;\">SampleIMESimplifiedQuanPin.txt<\/span>, which suggests that it is probably based on the open-source project <a href=\"https:\/\/github.com\/fanlumaster\/MicrosoftSampleIME\">Sample IME<\/a>, a TSF-based input method editor demo. We call this QuanPinLoader.<\/li>\n<li>Loaders built from the open-source project <a href=\"https:\/\/github.com\/elishacloud\/DirectX-Wrappers\" target=\"_blank\" rel=\"noopener\">DirectX Wrappers<\/a>.<\/li>\n<li>Downloaders built from open-source plugins for WinMerge (<a href=\"https:\/\/github.com\/WinMerge\/winmerge\/tree\/master\/Plugins\/src_VCPP\/DisplayBinaryFiles\">DisplayBinaryFiles<\/a> and <a href=\"https:\/\/github.com\/WinMerge\/winmerge\/tree\/master\/Plugins\/src_VCPP\/HideFirstLetter\" target=\"_blank\" rel=\"noopener\">HideFirstLetter<\/a>). We call the two trojanized plugins BinMergeLoader.<\/li>\n<li>Trojanized open-source plugins for Notepad++, specifically a downloader very similar to BinMergeLoader (<a href=\"https:\/\/github.com\/mackwai\/NPPHexEditor\" target=\"_blank\" rel=\"noopener\">NPPHexEditor<\/a> v10.0.0 by MacKenzie Cumings) and a dropper of an unknown payload (<a href=\"https:\/\/github.com\/pnedev\/comparePlus\/releases\/tag\/cp_1.1.0\" target=\"_blank\" rel=\"noopener\">ComparePlus<\/a> v1.1.0 by Pavel Nedev). The latter binary contains the PDB path <span style=\"font-family: courier new, courier, monospace;\">E:\\Work\\Troy\\\uc548\uc815\ud654\\wksprt\\comparePlus-master\\Notepad++\\plugins\\ComparePlus\\ComparePlus.pdb<\/span>, which suggests the origin of the project (<span style=\"font-family: courier new, courier, monospace;\">comparePlus-master<\/span>) and its intended legitimate parent process (<span style=\"font-family: courier new, courier, monospace;\">wksprt<\/span>). Also, \uc548\uc815\ud654 means stable in Korean, which indicates that the code was likely properly tested and reliable.<\/li>\n<\/ul>\n<p>One of the droppers (SHA-1: <span style=\"font-family: courier new, courier, monospace;\">03D9B8F0FCF9173D2964CE7173D21E681DFA8DA4<\/span>) has the internal DLL name <span style=\"font-family: courier new, courier, monospace;\">DroneEXEHijackingLoader.dll<\/span> and is disguised as a Windows Web Services Runtime library in order to be successfully side-loaded; see Figure 2. We believe that the substring <span style=\"font-family: courier new, courier, monospace;\">drone<\/span> is there to designate both a UAV device and the attacker\u2019s internal campaign name.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 2. A dropper with a suspicious internal name and exports from a legitimate Microsoft library\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/10-25\/lazarus-targets-uav-sector\/figure-2.png\" alt=\"Figure 2. A dropper with a suspicious internal name and exports from a legitimate Microsoft library\" width=\"\" height=\"\"\/><figcaption><em>Figure 2. A dropper with a suspicious internal name and exports from a legitimate Microsoft library<\/em><\/figcaption><\/figure>\n<p>Table 1 shows a typical combination of legitimate executable files (EXEs) and malicious dynamic link libraries (DLLs) delivered to the victim\u2019s system (this is analogous to Table 1 in our blogpost on an attack against a Spanish aerospace company in 2023). The DLLs in the third column are either trojanized open-source applications (see the fourth column for the underlying project) or a standalone malware binary without such benign context, with a legitimate EXE side-loading it. The location folder (the first column) is unusual for such legitimate applications. Malicious DLLs use the DLL proxying technique, in order not to break the execution. Therefore, when a DLL is also a trojanized project, it contains two heterogeneous types of exports: first the set of functions required for DLL proxying, and second the set of functions exported from the open-source project.<\/p>\n<p style=\"break-after: avoid; text-align: center;\"><em>Table 1. Summary of binaries involved in the attack<\/em><\/p>\n<table style=\"height: 392px;\" border=\"1\" width=\"643\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr style=\"height: 68px;\">\n<td style=\"height: 68px;\" width=\"246\"><strong>Location folder<\/strong><\/td>\n<td style=\"height: 68px;\" width=\"131\"><strong>Legitimate parent process<\/strong><\/td>\n<td style=\"height: 68px;\" width=\"142\"><strong>Malicious side-loaded DLL<\/strong><\/td>\n<td style=\"height: 68px;\" width=\"123\"><strong>Trojanized project<br \/>(payload)<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"height: 86px;\">\n<td style=\"height: 86px;\" width=\"246\">N\/A<\/td>\n<td style=\"height: 86px;\" width=\"131\"><span style=\"font-family: courier new, courier, monospace;\">wksprt.exe*<\/span><\/td>\n<td style=\"height: 86px;\" width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">webservices<wbr\/>.dll*<\/span><\/td>\n<td style=\"height: 86px;\" width=\"123\">ComparePlus\u00a0v1.1.0\u00a0(N\/A)<\/td>\n<\/tr>\n<tr style=\"height: 84px;\">\n<td style=\"height: 84px;\" width=\"246\">\n<p><span style=\"font-family: courier new, courier, monospace;\">%ALLUSERSPROFILE%\\EMC\\<\/span><\/p>\n<p><span style=\"font-family: courier new, courier, monospace;\">%ALLUSERSPROFILE%\\Adobe\\<\/span><\/p>\n<\/td>\n<td style=\"height: 84px;\" width=\"131\"><span style=\"font-family: courier new, courier, monospace;\">wksprt.exe<\/span><\/td>\n<td style=\"height: 84px;\" width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">webservices<wbr\/>.dll<\/span><\/td>\n<td style=\"height: 84px;\" width=\"123\">Standalone<br \/>(ScoringMathTea)<\/td>\n<\/tr>\n<tr style=\"height: 86px;\">\n<td style=\"height: 86px;\" width=\"246\"><span style=\"font-family: courier new, courier, monospace;\">%ALLUSERSPROFILE%\\<\/span><\/td>\n<td style=\"height: 86px;\" width=\"131\"><span style=\"font-family: courier new, courier, monospace;\">wkspbroker.exe<\/span><\/td>\n<td style=\"height: 86px;\" width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">radcui.dll<\/span><\/td>\n<td style=\"height: 86px;\" width=\"123\">DirectX wrappers <span style=\"font-family: courier new, courier, monospace;\">d3d8.dll\/ddraw.dll<\/span><br \/>(ScoringMathTea)<\/td>\n<\/tr>\n<tr style=\"height: 68px;\">\n<td style=\"height: 68px;\" width=\"246\"><span style=\"font-family: courier new, courier, monospace;\">%APPDATA%\\Microsoft\\RemoteApp\\<\/span><\/td>\n<td style=\"height: 68px;\" width=\"131\"><span style=\"font-family: courier new, courier, monospace;\">wkspbroker.exe<\/span><\/td>\n<td style=\"height: 68px;\" width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">radcui.dll<\/span><\/td>\n<td style=\"height: 68px;\" width=\"123\">Standalone<br \/>(BinMergeLoader)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"font-size: 80%;\">* Denotes a VirusTotal submission and its likely parent process. The payload is unknown, since a long command-line argument is required for its decryption from the trojanized project.<\/p>\n<h3>ScoringMathTea<\/h3>\n<p>ScoringMathTea is a complex RAT that supports around 40 commands. Its name is a combination of the root ScoringMath, taken from a C&amp;C domain used by an early variant (<span style=\"font-family: courier new, courier, monospace;\">www.scoringmnmathleague[.]org<\/span>), and the suffix -Tea, which is ESET Research\u2019s designation for a North Korea-aligned payload. It was first publicly documented by <a href=\"https:\/\/securelist.com\/the-lazarus-group-deathnote-campaign\/109490\/\" target=\"_blank\" rel=\"noopener\">Kaspersky<\/a> in April 2023 and later by <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/10\/18\/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability\/\" target=\"_blank\" rel=\"noopener\">Microsoft<\/a> in October 2023 under the name ForestTiger, which follows the internal DLL name or the PDB information found in some samples.<\/p>\n<p>Its first appearance can be traced back to VirusTotal submissions from Portugal and Germany in October 2022, where its dropper posed as an Airbus-themed job offer lure. The implemented functionality is the usual required by Lazarus: manipulation of files and processes, exchanging the configuration, collecting the victim\u2019s system info, opening a TCP connection, and executing local commands or new payloads downloaded from the C&amp;C server. The current version does not show any dramatic changes in its feature set or its command parsing. So the payload is probably receiving continuous, rather minor improvements and bug fixes.<\/p>\n<p>Regarding ESET telemetry, ScoringMathTea was seen in attacks against an Indian technology company in January 2023, a Polish defense company in March 2023, a British industrial automation company in October 2023, and an Italian aerospace company in September 2025. It seems that it is one of the flagship payloads for Operation DreamJob campaigns, even though Lazarus has more sophisticated payloads like LightlessCan at its disposal.<\/p>\n<h2>Conclusion<\/h2>\n<p>For nearly three years, Lazarus has maintained a consistent modus operandi, deploying its preferred main payload, ScoringMathTea, and using similar methods to trojanize open-source applications. This predictable, yet effective, strategy delivers sufficient polymorphism to evade security detection, even if it is insufficient to mask the group\u2019s identity and obscure the attribution process. Also, even with widespread media coverage of Operation DreamJob and its use of social engineering, the level of employee awareness in sensitive sectors \u2013 technology, engineering, and defense \u2013 is insufficient to handle the potential risks of a suspicious hiring process.<\/p>\n<p>Although alternative hypotheses are conceivable, there are good reasons to think that this Operation DreamJob campaign was in no small part intended to collect sensitive information on UAV-related technology. Considering North Korea\u2019s current efforts at scaling up its drone industry and arsenal, it seems likely that other organizations active in this sector will whet the appetite of North Korea-aligned threat actors in the near future.<\/p>\n<blockquote>\n<div><em>For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\u00a0<\/em><\/div>\n<div><em>ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the <a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=gotta-fly-lazarus-targets-uav-sector&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\">ESET Threat Intelligence<\/a> page.<\/em><\/div>\n<\/blockquote>\n<h2>IoCs<\/h2>\n<p>A comprehensive list of indicators of compromise and samples can be found in <a href=\"https:\/\/github.com\/eset\/malware-ioc\/tree\/master\/nukesped_lazarus\" target=\"_blank\" rel=\"noopener\">our GitHub repository<\/a>.<\/p>\n<h3>Files<\/h3>\n<h3><span style=\"font-size: medium; font-weight: 400;\"><\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"179\"><strong>SHA-1<\/strong><\/td>\n<td width=\"142\"><strong>Filename<\/strong><\/td>\n<td width=\"141\"><strong>Detection<\/strong><\/td>\n<td width=\"180\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">28978E987BC59E75CA22<wbr\/>562924EAB93355CF679E<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">TSMSISrv.dll<\/span><\/td>\n<td width=\"141\">Win64\/NukeSped.TL<\/td>\n<td width=\"180\">QuanPinLoader.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">5E5BBA521F0034D342CC<wbr\/>26DB8BCFECE57DBD4616<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">libmupdf.dll<\/span><\/td>\n<td width=\"141\">Win64\/NukeSped.TE<\/td>\n<td width=\"180\">A loader disguised as a MuPDF rendering library v3.3.3.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">B12EEB595FEEC2CFBF9A<wbr\/>60E1CC21A14CE8873539<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">radcui.dll<\/span><\/td>\n<td width=\"141\">Win64\/NukeSped.TO<\/td>\n<td width=\"180\">A dropper disguised as a RemoteApp and Desktop Connection UI Component library.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">26AA2643B07C48CB6943<wbr\/>150ADE541580279E8E0E<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">HideFirstLetter<wbr\/>.DLL<\/span><\/td>\n<td width=\"141\">Win64\/NukeSped.TO<\/td>\n<td width=\"180\">BinMergeLoader.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">0CB73D70FD4132A4FF54<wbr\/>93DAA84AAE839F6329D5<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">libpcre.dll<\/span><\/td>\n<td width=\"141\">Win64\/NukeSped.TP<\/td>\n<td width=\"180\">A loader that is a trojanized libpcre library.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">03D9B8F0FCF9173D2964<wbr\/>CE7173D21E681DFA8DA4<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">webservices.dll<\/span><\/td>\n<td width=\"141\">Win64\/NukeSped.RN<\/td>\n<td width=\"180\">A dropper disguised as a Microsoft Web Services Runtime library.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">71D0DDB7C6CAC4BA2BDE<wbr\/>679941FA92A31FBEC1FF<\/span><\/td>\n<td width=\"142\">N\/A<\/td>\n<td width=\"141\">Win64\/NukeSped.RN<\/td>\n<td width=\"180\">ScoringMathTea.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">87B2DF764455164C6982<wbr\/>BA9700F27EA34D3565DF<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">webservices.dll<\/span><\/td>\n<td width=\"141\">Win64\/NukeSped.RW<\/td>\n<td width=\"180\">A dropper disguised as a Microsoft Web Services Runtime library.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">E670C4275EC24D403E0D<wbr\/>4DE7135CBCF1D54FF09C<\/span><\/td>\n<td width=\"142\">N\/A<\/td>\n<td width=\"141\">Win64\/NukeSped.RW<\/td>\n<td width=\"180\">ScoringMathTea.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">B6D8D8F5E0864F5DA788<wbr\/>F96BE085ABECF3581CCE<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">radcui.dll<\/span><\/td>\n<td width=\"141\">Win64\/NukeSped.TF<\/td>\n<td width=\"180\">A loader disguised as a RemoteApp and Desktop Connection UI Component library.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">5B85DD485FD516AA1F44<wbr\/>12801897A40A9BE31837<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">RCX1A07.tmp<\/span><\/td>\n<td width=\"141\">Win64\/NukeSped.TH<\/td>\n<td width=\"180\">A loader of an encrypted ScoringMathTea.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">B68C49841DC48E367203<wbr\/>1795D85ED24F9F619782<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">TSMSISrv.dll<\/span><\/td>\n<td width=\"141\">Win64\/NukeSped.TL<\/td>\n<td width=\"180\">QuanPinLoader.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">AC16B1BAEDE349E48243<wbr\/>35E0993533BF5FC116B3<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">cache.dat<\/span><\/td>\n<td width=\"141\">Win64\/NukeSped.QK<\/td>\n<td width=\"180\">A decrypted ScoringMathTea RAT.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">2AA341B03FAC3054C576<wbr\/>40122EA849BC0C2B6AF6<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">msadomr.dll<\/span><\/td>\n<td width=\"141\">Win64\/NukeSped.SP<\/td>\n<td width=\"180\">A loader disguised as a Microsoft DirectInput library.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">CB7834BE7DE07F893520<wbr\/>80654F7FEB574B42A2B8<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">ComparePlus.dll<\/span><\/td>\n<td width=\"141\">Win64\/NukeSped.SJ<\/td>\n<td width=\"180\">A trojanized Notepad++ plugin disguised as a Microsoft Web Services Runtime library. A dropper from VirusTotal.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">262B4ED6AC6A977135DE<wbr\/>CA5B0872B7D6D676083A<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">tzautosync.dat<\/span><\/td>\n<td width=\"141\">Win64\/NukeSped.RW<\/td>\n<td width=\"180\">A decrypted ScoringMathTea, stored encrypted on the disk.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">086816466D9D9C12FCAD<wbr\/>A1C872B8C0FF0A5FC611<\/span><\/td>\n<td width=\"142\">N\/A<\/td>\n<td width=\"141\">Win64\/NukeSped.RN<\/td>\n<td width=\"180\">ScoringMathTea.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">2A2B20FDDD65BA28E7C5<wbr\/>7AC97A158C9F15A61B05<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">cache.dat<\/span><\/td>\n<td width=\"141\">Win64\/NukeSped.SN<\/td>\n<td width=\"180\">A downloader similar to BinMergeLoader built as a trojanized NPPHexEditor plugin.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/span><\/h3>\n<h3>Network<\/h3>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"145\"><strong>IP<\/strong><\/td>\n<td width=\"157\"><strong>Domain<\/strong><\/td>\n<td width=\"113\"><strong>Hosting provider<\/strong><\/td>\n<td width=\"85\"><strong>First\u00a0seen\u00a0\u00a0\u00a0<\/strong><\/td>\n<td width=\"142\"><strong>Details<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"145\"><span style=\"font-family: courier new, courier, monospace;\">23.111.133[.]162<\/span><\/td>\n<td width=\"157\"><span style=\"font-family: courier new, courier, monospace;\">coralsunmarine[.]com<\/span><\/td>\n<td width=\"113\">HIVELOCITY, Inc.<\/td>\n<td width=\"85\">2024-06-06<\/td>\n<td width=\"142\">ScoringMathTea C&amp;C server:<br \/><span style=\"font-family: courier new, courier, monospace;\">https:\/\/coralsunmarine[.]com\/wp-content\/themes\/flatsome\/inc\/functions\/function-hand.php<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"145\"><span style=\"font-family: courier new, courier, monospace;\">104.21.80[.]1<\/span><\/td>\n<td width=\"157\"><span style=\"font-family: courier new, courier, monospace;\">kazitradebd[.]com<\/span><\/td>\n<td width=\"113\">Cloudflare, Inc.<\/td>\n<td width=\"85\">2025-01-11<\/td>\n<td width=\"142\">ScoringMathTea C&amp;C server:<br \/><span style=\"font-family: courier new, courier, monospace;\">https:\/\/kazitradebd[.]com\/wp-content\/themes\/hello-elementor\/includes\/customizer\/customizer-hand.php<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"145\"><span style=\"font-family: courier new, courier, monospace;\">70.32.24[.]131<\/span><\/td>\n<td width=\"157\"><span style=\"font-family: courier new, courier, monospace;\">oldlinewoodwork<wbr\/>[.]com<\/span><\/td>\n<td width=\"113\">A2 Hosting, Inc.<\/td>\n<td width=\"85\">2024-06-14<\/td>\n<td width=\"142\">ScoringMathTea C&amp;C server:<br \/><span style=\"font-family: courier new, courier, monospace;\">https:\/\/oldlinewoodwork[.]com\/wp-content\/themes\/zubin\/inc\/index.php<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"145\"><span style=\"font-family: courier new, courier, monospace;\">185.148.129[.]24<\/span><\/td>\n<td width=\"157\"><span style=\"font-family: courier new, courier, monospace;\">www.mnmathleague<wbr\/>[.]org<\/span><\/td>\n<td width=\"113\">A2 Hosting, Inc.<\/td>\n<td width=\"85\">2024-06-15<\/td>\n<td width=\"142\">ScoringMathTea C&amp;C server:<br \/><span style=\"font-family: courier new, courier, monospace;\">https:\/\/www.mnmathleague[.]org\/ckeditor\/adapters\/index.php<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"145\"><span style=\"font-family: courier new, courier, monospace;\">66.29.144[.]75<\/span><\/td>\n<td width=\"157\"><span style=\"font-family: courier new, courier, monospace;\">pierregems[.]com<\/span><\/td>\n<td width=\"113\">Namecheap, Inc.<\/td>\n<td width=\"85\">2024-08-11<\/td>\n<td width=\"142\">ScoringMathTea C&amp;C server:<br \/><span style=\"font-family: courier new, courier, monospace;\">https:\/\/pierregems[.]com\/wp-content\/themes\/woodmart\/inc\/configs\/js-hand.php<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"145\"><span style=\"font-family: courier new, courier, monospace;\">108.181.92[.]71<\/span><\/td>\n<td width=\"157\"><span style=\"font-family: courier new, courier, monospace;\">www.scgestor.com[.]br<\/span><\/td>\n<td width=\"113\">Psychz Networks<\/td>\n<td width=\"85\">2024-07-15<\/td>\n<td width=\"142\">ScoringMathTea C&amp;C server: <br \/><span style=\"font-family: courier new, courier, monospace;\">https:\/\/www.scgestor.com[.]br\/wp-content\/themes\/vantage\/inc\/template-headers.php<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"145\"><span style=\"font-family: courier new, courier, monospace;\">104.247.162[.]67<\/span><\/td>\n<td width=\"157\"><span style=\"font-family: courier new, courier, monospace;\">galaterrace[.]com<\/span><\/td>\n<td width=\"113\">GNET Internet Telekomunikasyon A.S.<\/td>\n<td width=\"85\">2024-06-27<\/td>\n<td width=\"142\">ScoringMathTea C&amp;C server: <br \/><span style=\"font-family: courier new, courier, monospace;\">https:\/\/galaterrace[.]com\/wp-content\/themes\/hello-elementor\/includes\/functions.php<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"145\"><span style=\"font-family: courier new, courier, monospace;\">193.39.187[.]165<\/span><\/td>\n<td width=\"157\"><span style=\"font-family: courier new, courier, monospace;\">ecudecode[.]mx<\/span><\/td>\n<td width=\"113\">Heymman Servers Corporation<\/td>\n<td width=\"85\">2025-05-14<\/td>\n<td width=\"142\">ScoringMathTea C&amp;C server:<br \/><span style=\"font-family: courier new, courier, monospace;\">https:\/\/ecudecode[.]mx\/redsocial\/wp-content\/themes\/buddyx\/inc\/Customizer\/usercomp.php<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"145\"><span style=\"font-family: courier new, courier, monospace;\">172.67.193[.]139<\/span><\/td>\n<td width=\"157\"><span style=\"font-family: courier new, courier, monospace;\">www.anvil.org[.]ph<\/span><\/td>\n<td width=\"113\">Cloudflare, Inc.<\/td>\n<td width=\"85\">2025-02-22<\/td>\n<td width=\"142\">ScoringMathTea C&amp;C server:<br \/><span style=\"font-family: courier new, courier, monospace;\">https:\/\/www.anvil.org[.]ph\/list\/images\/index.php<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"145\"><span style=\"font-family: courier new, courier, monospace;\">77.55.252[.]111<\/span><\/td>\n<td width=\"157\"><span style=\"font-family: courier new, courier, monospace;\">partnerls[.]pl<\/span><\/td>\n<td width=\"113\">Nazwa.pl Sp.z.o.o.<\/td>\n<td width=\"85\">2025-06-02<\/td>\n<td width=\"142\">ScoringMathTea C&amp;C server:<br \/><span style=\"font-family: courier new, courier, monospace;\">https:\/\/partnerls.pl\/wp-content\/themes\/public\/index.php<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"145\"><span style=\"font-family: courier new, courier, monospace;\">45.148.29[.]122<\/span><\/td>\n<td width=\"157\"><span style=\"font-family: courier new, courier, monospace;\">trainingpharmacist<wbr\/>.co[.]uk<\/span><\/td>\n<td width=\"113\">Webdock.io ApS<\/td>\n<td width=\"85\">2024-06-13<\/td>\n<td width=\"142\">ScoringMathTea C&amp;C server:<br \/><span style=\"font-family: courier new, courier, monospace;\">https:\/\/trainingpharmacist.co.uk\/bootstrap\/bootstrap.php<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"145\"><span style=\"font-family: courier new, courier, monospace;\">75.102.23[.]3<\/span><\/td>\n<td width=\"157\"><span style=\"font-family: courier new, courier, monospace;\">mediostresbarbas<wbr\/>.com[.]ar<\/span><\/td>\n<td width=\"113\">DEFT.COM<\/td>\n<td width=\"85\">2024-06-05<\/td>\n<td width=\"142\">ScoringMathTea C&amp;C server:<br \/><span style=\"font-family: courier new, courier, monospace;\">https:\/\/mediostresbarbas.com[.]ar\/php_scrip\/banahosting\/index.php<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"145\"><span style=\"font-family: courier new, courier, monospace;\">152.42.239[.]211<\/span><\/td>\n<td width=\"157\"><span style=\"font-family: courier new, courier, monospace;\">www.bandarpowder<wbr\/>[.]com<\/span><\/td>\n<td width=\"113\">DigitalOcean, LLC<\/td>\n<td width=\"85\">2024-09-19<\/td>\n<td width=\"142\">ScoringMathTea C&amp;C server:<br \/><span style=\"font-family: courier new, courier, monospace;\">https:\/\/www.bandarpowder[.]com\/public\/assets\/buttons\/bootstrap.php<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"145\"><span style=\"font-family: courier new, courier, monospace;\">95.217.119[.]214<\/span><\/td>\n<td width=\"157\"><span style=\"font-family: courier new, courier, monospace;\">spaincaramoon<wbr\/>[.]com<\/span><\/td>\n<td width=\"113\">Hetzner Online GmbH<\/td>\n<td width=\"85\">2025-04-30<\/td>\n<td width=\"142\">ScoringMathTea C&amp;C server:<br \/><span style=\"font-family: courier new, courier, monospace;\">https:\/\/spaincaramoon[.]com\/realestate\/wp-content\/plugins\/gravityforms\/forward.php<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>MITRE ATT&amp;CK techniques<\/h2>\n<p>This table was built using <a href=\"https:\/\/attack.mitre.org\/resources\/versions\/\">version 17<\/a> of the MITRE ATT&amp;CK framework.<\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"113\">\n<p><strong>Tactic<\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><strong>ID<\/strong><\/p>\n<\/td>\n<td width=\"151\">\n<p><strong>Name<\/strong><\/p>\n<\/td>\n<td width=\"265\">\n<p><strong>Description<\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" width=\"113\">\n<p><strong>Resource Development<\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1584\/004\" target=\"_blank\" rel=\"noopener\">T1584.004<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Compromise Infrastructure: Server<\/p>\n<\/td>\n<td width=\"265\">\n<p>ScoringMathTea uses compromised servers for C&amp;C.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1587\/001\" target=\"_blank\" rel=\"noopener\">T1587.001<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Develop Capabilities: Malware<\/p>\n<\/td>\n<td width=\"265\">\n<p>All stages in the attack were likely developed by the attackers.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"3\" width=\"113\">\n<p><strong>Execution<\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1106\" target=\"_blank\" rel=\"noopener\">T1106<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Native API<\/p>\n<\/td>\n<td width=\"265\">\n<p>Windows APIs are essential for ScoringMathTea to function and are resolved dynamically at runtime.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1129\" target=\"_blank\" rel=\"noopener\">T1129<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Shared Modules<\/p>\n<\/td>\n<td width=\"265\">\n<p>ScoringMathTea is able to load a downloaded DLL with the exports <span style=\"font-family: courier new, courier, monospace;\">fun00<\/span> or <span style=\"font-family: courier new, courier, monospace;\">exportfun00<\/span>.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1204\/002\" target=\"_blank\" rel=\"noopener\">T1204.002<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>User Execution: Malicious File<\/p>\n<\/td>\n<td width=\"265\">\n<p>Lazarus attackers relied on the execution of trojanized PDF readers.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong>Persistence<\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1574\/002\" target=\"_blank\" rel=\"noopener\">T1574.002<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Hijack Execution Flow: DLL Side-Loading<\/p>\n<\/td>\n<td width=\"265\">\n<p>Trojanized droppers (<span style=\"font-family: courier new, courier, monospace;\">webservices.dll<\/span>, <span style=\"font-family: courier new, courier, monospace;\">radcui.dll<\/span>) use legitimate programs (<span style=\"font-family: courier new, courier, monospace;\">wksprt.exe<\/span>, <span style=\"font-family: courier new, courier, monospace;\">wkspbroker.exe<\/span>) for their loading.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"6\" width=\"113\">\n<p><strong>Defense Evasion<\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1134\/002\" target=\"_blank\" rel=\"noopener\">T1134.002<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Access Token Manipulation: Create Process with Token<\/p>\n<\/td>\n<td width=\"265\">\n<p>ScoringMathTea can create a new process in the security context of the user represented by a specified token.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1140\" target=\"_blank\" rel=\"noopener\">T1140<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Deobfuscate\/Decode Files or Information<\/p>\n<\/td>\n<td width=\"265\">\n<p>The main payload, ScoringMathTea, is always encrypted on the file system.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1027\/007\" target=\"_blank\" rel=\"noopener\">T1027.007<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Obfuscated Files or Information: Dynamic API Resolution<\/p>\n<\/td>\n<td width=\"265\">\n<p>ScoringMathTea resolves Windows APIs dynamically.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1027\/009\" target=\"_blank\" rel=\"noopener\">T1027.009<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Obfuscated Files or Information: Embedded Payloads<\/p>\n<\/td>\n<td width=\"265\">\n<p>The droppers of all malicious chains contain an embedded data array with an additional stage.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1620\" target=\"_blank\" rel=\"noopener\">T1620<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Reflective Code Loading<\/p>\n<\/td>\n<td width=\"265\">\n<p>The droppers and loaders use reflective DLL injection.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1055\/\" target=\"_blank\" rel=\"noopener\">T1055<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Process Injection<\/p>\n<\/td>\n<td width=\"265\">\n<p>ScoringMathTea and BinMergeLoader can reflectively load a DLL in the process specified by the PID.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"3\" width=\"113\">\n<p><strong>Discovery<\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1083\/\" target=\"_blank\" rel=\"noopener\">T1083<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>File and Directory Discovery<\/p>\n<\/td>\n<td width=\"265\">\n<p>ScoringMathTea can locate a file by its name.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1057\/\" target=\"_blank\" rel=\"noopener\">T1057<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Process Discovery<\/p>\n<\/td>\n<td width=\"265\">\n<p>ScoringMathTea can list all running processes.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1082\/\" target=\"_blank\" rel=\"noopener\">T1082<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>System Information Discovery<\/p>\n<\/td>\n<td width=\"265\">\n<p>ScoringMathTea can mimic the <span style=\"font-family: courier new, courier, monospace;\">ver<\/span> command.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"3\" width=\"113\">\n<p><strong>Command and Control<\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1071\/001\" target=\"_blank\" rel=\"noopener\">T1071.001<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Application Layer Protocol: Web Protocols<\/p>\n<\/td>\n<td width=\"265\">\n<p>ScoringMathTea and BinMergeLoader use HTTP and HTTPS for C&amp;C.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1573\/001\" target=\"_blank\" rel=\"noopener\">T1573.001<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Encrypted Channel: Symmetric Cryptography<\/p>\n<\/td>\n<td width=\"265\">\n<p>ScoringMathTea encrypts C&amp;C traffic using the IDEA algorithm and BinMergeLoader using the AES algorithm.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1132\/001\" target=\"_blank\" rel=\"noopener\">T1132.001<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Data Encoding: Standard Encoding<\/p>\n<\/td>\n<td width=\"265\">\n<p>ScoringMathTea adds a base64-encoding layer to its encrypted C&amp;C traffic.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong>Exfiltration<\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1041\" target=\"_blank\" rel=\"noopener\">T1041<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Exfiltration Over C2 Channel<\/p>\n<\/td>\n<td width=\"265\">\n<p>ScoringMathTea can exfiltrate data to its C&amp;C server.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=gotta-fly-lazarus-targets-uav-sector&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/eti-eset-threat-intelligence.png\" alt=\"\" width=\"915\" height=\"296\"\/><\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>ESET researchers have recently observed a new instance of Operation DreamJob \u2013 a campaign that we track under<\/p>\n","protected":false},"author":1,"featured_media":208,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-207","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/207","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/comments?post=207"}],"version-history":[{"count":0,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/207\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media\/208"}],"wp:attachment":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media?parent=207"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/categories?post=207"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/tags?post=207"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}