{
	"id": "c74fdcb3-865e-4cbb-a2e1-07e5b97b456b",
	"created_at": "2026-04-06T00:09:46.757372Z",
	"updated_at": "2026-04-10T03:22:08.395823Z",
	"deleted_at": null,
	"sha1_hash": "417068d33c43cb7760be49dfa8c2caef6ab63df3",
	"title": "Nation-State Actor’s Arsenal: An In-Depth Look at Lazarus’ ScoringMathTea - 0x0d4y Malware Research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1744097,
	"plain_text": "Nation-State Actor’s Arsenal: An In-Depth Look at Lazarus’\r\nScoringMathTea - 0x0d4y Malware Research\r\nBy 0x0d4y\r\nPublished: 2025-11-17 · Archived: 2026-04-05 19:16:12 UTC\r\nIn October 2025, the ESET Research Team published an excellent article about the identification of a new\r\ninstance of the Operation DreamJob cyberespionage campaign, conducted by the Lazarus APT Group, aligned\r\nwith the North Korean government. This instance was identified by ESET as Gotta Fly, as it was determined that\r\nLazarus was directing cyberattacks with an espionage focus to steal know-how related to the production of\r\nUnmanned Aerial Vehicles from companies that are providing such technology to Ukraine. In the same article,\r\nthe ESET Research Team provided information on the identification of two kill chains, both of which implement\r\nScoringMathTea. Below, you can see an image taken from the ESET post, showing the identified execution\r\nchains.\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 1 of 30\n\nScoringMathTea is a RAT (Remote Access Trojan) in C++, developed and operated by Lazarus, which\r\nprovides operators with all the necessary capabilities that a good RAT can offer, including remote command\r\nexecution, loading and execution of plugins in memory, among other capabilities. This is the object of analysis in\r\nmy research.\r\nBelow is a general overview of the main capabilities implemented in ScoringMathTea.\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 2 of 30\n\nScoringMathTea’s Reverse Engineering\r\nThe sample we are going to analyze is ScoringMathTea in DLL format. When we open it in IDA Pro, the first\r\nfunction that appears is DllMain, which simply creates a thread through CreateThread WinAPI, setting the\r\nlpStartAddress as a wrapper function for the main function of ScoringMathTea.\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 3 of 30\n\nIn the image below, we can observe the flow identified by the Proximity Browser, which leads from DllMain to\r\nthe Main function of ScoringMathTea.\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 4 of 30\n\nUpon reaching this function, we can already observe the creation of a pseudo-random seed using GetTickCount64\r\nfollowed by srand, followed by a function that initializes some fields of the ScoringMathTea configuration struct,\r\nand finally arriving at the identification of the API resolution technique via API Hashing.\r\nInitializing Specific Fields of the Configuration Struct\r\nIn the smt_init_config function, several fields of the struct that stores certain configuration aspects of\r\nScoringMathTea are initialized. Below, we can see the storage via Stack Strings of the C\u0026C URL of this sample.\r\nThe use of Stack String is strategic so that the URL address is not easily identified by any string extraction\r\ntool.\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 5 of 30\n\nIn addition to the URL address, it is also possible to observe the creation of slots for more C\u0026C addresses, which\r\nwere declared as null, but which I believe could be added during the operation.\r\nOther interesting fields that were observed being initialized include possible random seed that can be used later,\r\nas well as an ID, which could be from the campaign or the build of this ScoringMathTea sample.\r\nAnalyzing the API Hashing Routine\r\nAfter initializing certain fields of the ScoringMathTea configuration struct, the main function loads and executes\r\nthe dynamic API loading routine via API Hashing . Upon analyzing the function responsible for this process, we\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 6 of 30\n\nencounter an initial string deobfuscation routine, using the smt_string_decryption function, which only\r\nreceives the strings as arguments.\r\nNext, we will analyze in deep the custom algorithm used by ScoringMathTea to deobfuscate these strings.\r\nAnalyzing the Custom String Deobfuscation Algorithm\r\nThis if the main function used by the ScoringMathTea to deobfuscate static strings at runtime, implementing\r\nsomething like a polyalphabetic substitution cipher with chaining (propagating cipher).\r\nThe decoding mechanism operates as follows:\r\n1. Initialization: The function receives an obfuscated string ( enc_str ) and an output pointer ( dec_str ).\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 7 of 30\n\n2. Substitution Alphabet: The algorithm relies on a global lookup table (pointed in alphabet_decryption =\r\n\"pB1Q5ZyneCb6sR03u2OxfK8vVMkEaow_ciSDYIUmlF4hq9XLPJNzTHGgr.WtdA7\" ). This table functions as a 64-\r\ncharacter “alphabet” (as indicated by the 0x40 and 0x3F delimiters).\r\n3. Key State: An initial key, or “state“, is hardcoded with the value 11 . This key is dynamic and changes\r\nwith each iteration.\r\n4. Decoding Process (Loop): The function iterates through each character of the copied obfuscated string:\r\nFirst, it locates the obfuscated character within the alphabet_decryption table to find its index\r\n( alphabet_idx ).\r\nThen, it calculates the index of the actual (decoded) character by subtracting the current\r\nkey_state from the alphabet_idx . A bitwise AND operation with 0x3F is used to ensure the\r\nresult is a valid index (essentially a modulo 64 operation that also handles “underflow” of negative\r\nindices).\r\nThe newly calculated index is used to retrieve the actual decoded character from the same\r\nalphabet_decryption table.\r\nThis decoded character replaces the obfuscated character in the buffer.\r\n5. Chaining Mechanism: This is the polyalphabetic aspect of the cipher. After decoding a character, the\r\nkey_state is updated for the next iteration. The new state is calculated by adding the value of the newly\r\ndecoded character to the previous key_state , again applying a modulo 64 ( \u0026 0x3F ).\r\nThis chaining mechanism makes the key dependent on the decoded output itself, meaning that each character is\r\ndecoded with a different key, derived from the previous character.\r\nFinally, the algorithm stores the pointer to the decoded string (in char* format) in the first argument and then\r\nconverts and copies the deobfuscated string to an adjacent wide string buffer ( wchar_t* ). Below we can see the\r\npseudocode of this algorithm:\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 8 of 30\n\nHaving understood the algorithm, I developed a string deobfuscation Python script for IDA Pro, which is available\r\nin my GitHub repository.\r\nThe script is quite straightforward, following these steps:\r\nCollects each XRef’s offset of the smt_string_decryption function;\r\nIdentifies and collects the arguments of each XRef;\r\nSubmits the obfuscated strings (which are passed as arguments to the smt_string_decryption function) to\r\nthe string deobfuscation algorithm implementation;\r\nThe result is written as a comment at each offset identified in the XRef identification process in the\r\nDisassembler.\r\nThis allows the string decryption process to be automated within IDA itself, making the analysis more fluid with\r\nthe comments placed in the Disassembler. Below is the output of the script in the IDA Pro Output window.\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 9 of 30\n\nAnd below, we can partially observe the result of the Python script execution.\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 10 of 30\n\nThus, it can be observed that the deobfuscated strings in the API resolution function ( smt_api_resolution ) are\r\nDLLs that will be used throughout. Let’s continue with the analysis of the API loading routine via API Hashing .\r\nContinuation of the Analysis of the API Loading Routine via API Hashing\r\nAfter deobfuscating the strings, the smt_api_resolution function will perform PE parsing of the desired module\r\n(DLL), with the aim of collecting the names of the APIs exported by that DLL, using AddressOfNames in the\r\nIMAGE_EXPORT_DIRECTORY.\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 11 of 30\n\nIn each iteration of AddressOfNames , the collected result will be submitted to the ScoringMathTea hashing\r\nalgorithm, as can be seen in the pseudocode below.\r\nThe while loop will check if the resulting hash from each API in each iteration matches the hash received as an\r\nargument to this function. The hashing process for each API name begins with a fixed seed value ( api_hashed =\r\n0x2DBB955 ), with its main logic described as:\r\napi_hashed ^= (char)*v18++ + (api_hashed \u003e\u003e 2) + 32 * api_hashed .\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 12 of 30\n\nThe custom hashing algorithm used by ScoringMathTea follows the following steps:\r\napi_hashed ^= ... : The result of this sum is then combined with the current hash value using an XOR\r\noperation. The result becomes the new api_hashed value for the next iteration.\r\n32 * api_hashed : The current hash value is multiplied by 32 . In terms of bits, this is a left shift of 5\r\nbits ( api_hashed \u003c\u003c 5 ).\r\n(api_hashed \u003e\u003e 2) : The current hash value is right shifted by 2 bits (equivalent to an integer division\r\nby 4).\r\n(char)*v18++ : The ASCII value of the current character in the string.\r\nSum: The algorithm sums these three components: (character) + (hash / 4) + (hash * 32) .\r\nAs we can see in the image below, the hashing resolution function is called approximately 273 times throughout\r\nthe ScoringMathTea code.\r\nAnd in the same way that it was done for the string decryption function, it is possible to collect each hash that will\r\nbe resolved to an API at runtime. Of course, it’s possible to observe several repeated APIs, which refer to APIs\r\nthat are used multiple times, such as LocalAlloc, LocalFree, GetLastError, among others.\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 13 of 30\n\nSince the hashing algorithm is relatively simple, it’s possible to create a Python script to automate the API hashing\r\nprocess. I implemented this and submitted a Pull Request to the OALabs open-source project, HashDB, with the\r\ngoal of automating the de-hashing and facilitating static analysis. With the Pull Request accepted, it is now\r\npossible to look up the hashes of the current ScoringMathTea samples.\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 14 of 30\n\nThis makes it possible to have a clearer view of what ScoringMathTea is loading and executing throughout its\r\noperation.\r\nAnalysis of Communication Capability with C\u0026C and Plugin Execution\r\nThe logic of the main function of ScoringMathTea consists of an infinite loop, where the main functionalities of\r\nthe agent (ScoringMathTea deployed on the infected system) and its communication with the C\u0026C server are\r\nimplemented, awaiting commands received from the operators to finally execute them, maintaining a 60-second\r\nbeacon heartbeat to try to reduce network noise, but in reality it seems to be a standard agent configuration.\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 15 of 30\n\nThis main function appears to have 3 execution phases. The first one has already been identified and analyzed\r\npreviously: the initialization of the configuration struct and the initialization of Winsock to enable network\r\ncommunication.\r\nThe second phase consists of the main communication loop with the C\u0026C server, where the agent enters an\r\ninfinite loop to try to connect with one of its C\u0026C servers. This is not the case with this sample, but as previously\r\nseen, ScoringMathTea has the capability to have multiple C\u0026C addresses; therefore, the main action of the\r\nScoringMathTea’s main function is to randomly select a C\u0026C address. However, as we already know, this\r\nsample only has one C\u0026C address.\r\nAfter selecting the command and control (C\u0026C) address, the agent will execute the function to configure the\r\nconnection to the C\u0026C server, making an initial connection and storing the connection handle for future use.\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 16 of 30\n\nThis function performs this configuration using common WinAPIs, but all of them are resolved dynamically\r\nthrough the API resolution function, analyzed previously. The function defines the following settings:\r\nSpoofing the User-Agent for further communications: `Mozilla/5.0 (Windows NT 10.0; Win64; x64)\r\nAppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.42`\r\nInitial connection to the C\u0026C server via the WinHttpConnect API, returning a connection handle;\r\nCreation of an HTTP POST request via the WinHttpOpenRequest API, using the connection handle created\r\npreviously. A beacon is likely sent to the C\u0026C server here;\r\nDefinition of connection timeouts of 10 seconds , via the WinHttpSetTimeouts;\r\nAfter this communication is initiated, the agent uses the Handle of the connection created and configured with the\r\nC\u0026C to send beacons and receive commands from the operators. In other words, from the previously configured\r\ncommunication, the agent’s communication with the C\u0026C server operates over HTTP/HTTPS using a two-way\r\ncommunication channel that is possibly Base64 encoded, encrypted using the TEA / XTEA algorithm in CBC\r\nmode , and optionally compressed.\r\nFirstly, the function that receives the identifier of the previously configured connection seems to construct a\r\npseudo-random request payload (using rand() ) from some constants, making it difficult to detect the beacon\r\nsent to the C\u0026C using static signatures. An interesting feature of ScoringMathTea’s communication is that, when\r\nconnecting to the command and control (C\u0026C) URL, if the HTML document header is identified, the function\r\nremoves this “header” and adjusts the pointers so that the rest of the code can process the actual payload that\r\ncomes next.\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 17 of 30\n\nBelow, we can see the execution of the function that sends the beacon and receives the response from the C\u0026C\r\n( smt_c2_http_send_receive ), followed by the function that filters the contents of the buffer received by the\r\nC\u0026C.\r\nBelow you can see the content of the function that removes HTML header ( smt_c2_filter_html_garbage ), if\r\nidentified.\r\nWhen testing a POST request, it’s possible to identify the header that is filtered, as we will observe later.\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 18 of 30\n\nAnd when we simply send a GET request to the root domain, we get a fatal PHP error, indicating that the\r\nwebsite is indeed fake, not even containing a page at the root of the domain.\r\nAfter stripping the header, the agent will receive an encrypted payload, extract a key and an Initialization\r\nVector ( IV ) from it, and use this key to generate a decryption key schedule through two preparation functions.\r\nThen, it uses this key schedule and the IV to decrypt the payload in-place using a variant TEA algorithm in CBC\r\nmode . Finally, the resulting plaintext payload is checked; if a flag in the header indicates that the data is\r\ncompressed, it decompresses it before moving the final command to an execution buffer. Below, we can observe\r\nthe flow of this execution.\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 19 of 30\n\nThis communication mechanism with C\u0026C is the core of ScoringMathTea . This entire flow is executed to\r\nreceive and execute commands.\r\nAnalysis of the Modular Capacity for Injecting Memory-Reflected Plugins\r\nAnother extremely interesting feature is the ability to load and inject reflected plugins into memory. Let’s see.\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 20 of 30\n\nThe plugins that are loaded into memory in ScoringMathTea are loaded using the Reflective DLL Injection\r\ntechnique, receiving the plugin through the communication flow with the C\u0026C analyzed previously, and\r\nimplemented in three main layers:\r\nThe Main Task Manager of Plugin Load: This is the handler function for orchestrating the download and\r\nloading of the plugin.\r\nPlugin Loading Orchestrator: This function prepares the environment, loading the necessary DLLs and\r\nAPIs using the PEB Walking technique. In addition, this function feeds a structure I called PE_CONTEXT ,\r\nwhich will contain information about the plugin that will be loaded into memory. This same function is\r\nresponsible for cleaning up memory using APIs (loaded by the same API Hashing method analyzed\r\npreviously).\r\nBelow you can see the orchestrator’s body, which calls upon the two main functions that will do the heavy lifting.\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 21 of 30\n\nWhen we enter the smt_load_apis_dlls function, we can observe the implementation of the PEB Walking\r\ntechnique, with the goal of dynamically loading kernel32.dll , and a series of 7 APIs , which will be used\r\nlater.\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 22 of 30\n\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 23 of 30\n\nThe API offsets are stored in a structure, which is later called to use the APIs, as shown below.\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 24 of 30\n\nFrom this point on, the orchestrator function follows the flow for the Reflected loading of the Plugin.\r\nThe Reflective Plugin Loader: This is the function that manually implements the Windows Loader, where\r\nit takes the plugin (a PE artifact), submits it to a custom in-line CRC32 algorithm to perform a checksum\r\nof the mapped plugin, maps it in memory, and finally executes it.\r\nRight at the beginning of the function, it’s possible to see that the plugin must be a PE artifact, since the function\r\nchecks both DOS and PE headers.\r\nThe function then manually maps the PE plugin in memory, allocating memory regions for each section. Basically,\r\nthis function implements the Windows Loader manually and in a customized way, to avoid detection by\r\ncybersecurity products.\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 25 of 30\n\nThis function also implements a custom in-line CRC32 algorithm, which creates the CRC32 table on the stack\r\nand performs a checksum of the mapped plugin, in order to guarantee the integrity of the plugin and that\r\neverything has gone as expected. This is also an efficient method for detecting software breakpoints in debuggers.\r\nAfter generating the checksum, the function calls a routine to modify the protections of the previously allocated\r\nmemory regions, in a manner appropriate for each section.\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 26 of 30\n\nFinally, this function manually implements the Windows Loader, ensuring that the plugin received by C\u0026C was\r\nproperly loaded manually, thus avoiding detection by certain cybersecurity products.\r\nWhen loading the plugin into memory, the main function implements a loop to manually identify a function\r\nexported by the loaded plugin, identified as exportfun . Upon identifying this function exported by the plugin, it\r\nwill be executed.\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 27 of 30\n\nConclusion\r\nTherefore, based on all this analysis, the research concludes that ScoringMathTea is a modular Remote Access\r\nTrojan (RAT), designed for evasion, with a sophisticated architecture to avoid detection both on the network and at\r\nsome endpoint aspects. Its C\u0026C communication, operating over HTTP/S with SSL bypass, is a multi-layered\r\nchannel that protects its command payloads through Base64 encoding, encryption (likely TEA/XTEA in CBC\r\nmode), and optional compression. The malware’s core capability it’s a reflective plugin loader capbility, that\r\nload a plugin in DLL format, allowing the operator to download and execute plugins entirely in memory.\r\nThe most critical potential evasion mechanism is the manual mapping of the IAT (Import Address Table). The\r\nmalware implements the PEB Walking technique (via smt_load_apis_dlls) to locate kernel32.dll and manually\r\nobtain a “clean” pointer to GetProcAddress. With this, it builds its own API table (smt_api_table) at runtime,\r\ncontaining non-hooked pointers to VirtualAlloc, VirtualProtect, LoadLibraryA, etc. This secure table is then\r\nused by its loader (smt_reflective_plugin_loader) to perform manual plugin mapping, resolving imports, applying\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 28 of 30\n\nrelocations, verifying module integrity with a dynamically generated CRC32, and finally applying the correct\r\nmemory permissions (smt_set_section_protections) before invoking the plugin’s standard exported function\r\n(“exportfun“) to execute the malicious code related to the installed Plugin.\r\nWith this, I conclude this research. I hope that all of you who have read this far have learned something or found\r\nsomething interesting. Until next time!\r\nMITRE ATT\u0026CK Mapping\r\nWith the goal of mapping the implementations identified during the analysis, the MITRE ATT\u0026CK mapping from\r\nScoringMathTea is shown below.\r\nTactic (ID) Technique (ID) Comment (Context from our Analysis)\r\nDefense\r\nEvasion\r\n(TA0005)\r\nReflective Code Loading\r\n(T1620)\r\nThe ScoringMathTea ‘s core capability. It\r\nloads plugins (DLLs) directly from\r\nmemory without writing them to disk.\r\nExecution\r\n(TA0002)\r\nNative API (T1106)\r\nImplements PEB Walking to locate\r\nkernel32.dll and its own version of\r\nGetProcAddress to trying to bypass API\r\nhooking.\r\nDefense\r\nEvasion\r\n(TA0005)\r\nObfuscated Files or\r\nInformation: Dynamic API\r\nResolution\r\n(T1027.007)\r\nScoringMathTea’s manually implemented\r\na Dynamic API Resolution, through API\r\nHashing .\r\nDefense\r\nEvasion\r\n(TA0005)\r\nMasquerading: Browser\r\nFingerprint (T1036.012)\r\nSpoofs a legitimate Microsoft Edge\r\nUser-Agent string to make its C\u0026C traffic\r\nblend in with normal network activity.\r\nDefense\r\nEvasion\r\n(TA0005)\r\nVirtualization/Sandbox\r\nEvasion (T1497)\r\nActively filters HTML tags (like\r\n\u003c!DOCTYPE html\u003e ) from C\u0026C responses,\r\nmaybe can be used to defeat captive\r\nportals and automated sandbox analysis.\r\nDefense\r\nEvasion\r\n(TA0005)\r\nDebug Evasion (T1622)\r\nCalculates a CRC32 checksum of its own\r\nin-memory module after loading to detect\r\nif an analyst has applied patches or\r\ntampered with it.\r\nDefense\r\nEvasion\r\n(TA0005)\r\nHide Artifacts (T1564.004)\r\nSuppresses all system error dialogs to\r\nensure the malware fails silently without\r\nalerting the user.\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 29 of 30\n\nTactic (ID) Technique (ID) Comment (Context from our Analysis)\r\nCommand\r\nand Control\r\n(TA0011)\r\nApplication Layer Protocol:\r\nWeb Protocols (T1071.001)\r\nUses standard HTTP/S POST requests\r\nfor all C\u0026C communications. It also\r\nbypasses SSL/TLS certificate\r\nvalidation, allowing it to use self-signed\r\nor invalid certs.\r\nCommand\r\nand Control\r\n(TA0011)\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\n(T1573.001)\r\nC\u0026C payloads are protected in multiple\r\nlayers: compressed, then encrypted with\r\na symmetric algorithm (identified as\r\nTEA/XTEA), and finally Base64\r\nencoded.\r\nReferences \u0026 Links\r\nGotta Fly: Lazarus targets the UAV sector.\r\nScoringMathTea Python String Decryption.\r\nScoringMathTea Python API Hash Algorithm.\r\nScoringMathTea Yara Rule.\r\nSource: https://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nhttps://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/\r\nPage 30 of 30\n\n https://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/     \nWhen we enter the smt_load_apis_dlls function, we can observe the implementation of the PEB Walking\ntechnique, with the goal of dynamically loading kernel32.dll , and a series of 7 APIs , which will be used\nlater.      \n  Page 22 of 30   \n\n https://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/    \nThe API offsets are stored in a structure, which is later called to use the APIs, as shown below.\n   Page 24 of 30",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://0x0d4y.blog/arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea/"
	],
	"report_names": [
		"arsenal-analysis-of-a-nation-state-actor-an-in-depth-look-at-lazarus-scoringmathtea"
	],
	"threat_actors": [],
	"ts_created_at": 1775434186,
	"ts_updated_at": 1775791328,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/417068d33c43cb7760be49dfa8c2caef6ab63df3.pdf",
		"text": "https://archive.orkl.eu/417068d33c43cb7760be49dfa8c2caef6ab63df3.txt",
		"img": "https://archive.orkl.eu/417068d33c43cb7760be49dfa8c2caef6ab63df3.jpg"
	}
}