Lazarus Group’s New ScoringMathTea RAT Uses Reflective Plugin Loader and Custom Polyalphabetic Crypto for Espionage
Ddos 
A new technical deep-dive by malware researcher 0x0d4y reveals the inner workings of ScoringMathTea, a sophisticated remote access Trojan (RAT) attributed to the Lazarus Group, the North Korean APT known for high-end cyber-espionage operations. The analysis dissects the RAT’s architecture, C2 protocol, API-hiding techniques, custom encryption routines, and a fully manual reflective plugin loader designed to evade modern detection stacks.
The work builds on ESET’s October 2025 report uncovering a new Operation DreamJob cluster—codenamed Gotta Fly—where Lazarus targeted companies developing UAV technology for Ukraine.
At the core of that campaign sits ScoringMathTea, a bespoke Lazarus RAT written in C++.
0x0d4y summarizes the tool succinctly: “ScoringMathTea is a RAT… which provides operators with all the necessary capabilities that a good RAT can offer, including remote command execution, loading and execution of plugins in memory.”
The sample analyzed was packaged as a DLL. Its entrypoint (DllMain) immediately launches a new thread that executes the RAT’s main function—an architecture deliberately designed to blend into legitimate application behavior.
The RAT initializes a configuration structure, generates pseudo-random seeds using Windows tick counts, and sets up multiple C2 slots—though 0x0d4y notes that only one C2 URL is active in the analyzed sample. To conceal this infrastructure, Lazarus hides its command-and-control URL using stack strings, which the researcher describes as “strategic so that the URL address is not easily identified by any string extraction tool.”
One of the RAT’s first operations is to dynamically resolve all required APIs using a custom hashing algorithm and encrypted string table.
0x0d4y identifies the deobfuscation routine as “a polyalphabetic substitution cipher with chaining (propagating cipher)” that decrypts static strings at runtime through a custom 64-character alphabet and evolving key state.
The researcher reverse-engineered the algorithm and created an automated Python script to decrypt all embedded strings directly inside IDA Pro.
Once strings are decoded, ScoringMathTea parses PE exports and resolves APIs through a bespoke hashing formula, called over 273 times in the analyzed sample—underscoring the malware’s reliance on dynamic API loading to evade static detection.
The RAT maintains a persistent 60-second beacon interval, with a communication loop that attempts to connect to its C2 using a spoofed browser header:
Mozilla/5.0 (Windows NT 10.0; Win64; x64)… Edg/107.0.1418.42
Once connected, ScoringMathTea sends a pseudo-randomized beacon generated using rand() to avoid signature-based detection. The response is processed through several layers:
- HTML wrapper removal
- Base64 decoding
- Decryption using TEA/XTEA in CBC mode
- Optional decompression
- Command parsing
As 0x0d4y states, “The agent’s communication with the C&C server operates over HTTP/HTTPS… encoded, encrypted using the TEA/XTEA algorithm in CBC mode, and optionally compressed.” This multi-layered structure makes the traffic appear benign while protecting payload integrity.
The most sophisticated feature revealed by the analysis is ScoringMathTea’s modular architecture, centered on a full reflective DLL injection system implemented entirely in the malware’s codebase.
0x0d4y concludes that the malware is: “a modular Remote Access Trojan designed for evasion, with a sophisticated architecture to avoid detection both on the network and at some endpoint aspects.”
Its reflective plugin capabilities, API hashing, PE-walking loader, and layered C2 encryption make it one of Lazarus Group’s most advanced espionage tools to date.
As geopolitical tensions drive state-aligned APT activity, ScoringMathTea demonstrates the level of technical investment and sophistication that nation-state threat actors continue to deploy in pursuit of strategic intelligence.
Related Posts:
- Kimsuky APT Escalates Cyberespionage with Stealthy LNK Files & Reflective Malware Payloads
- Raven Stealer: New MaaS Infostealer Plunders Data via Reflective Process Hollowing & Telegram Exfil
- Lumma Stealer Malware Now Using ChaCha20 Cipher for Evasion
- Beyond the Ransom: Inside the Mind of Brain Cipher Ransomware Group
- Temptation from Money: Lazarus APT extended to cryptocurrencies
Donate