{ "id": "1be4095b-0baf-4b61-8f58-670186cfa7ac", "created_at": "2026-04-06T00:16:47.805168Z", "updated_at": "2026-04-10T03:38:20.723685Z", "deleted_at": null, "sha1_hash": "520c03e377f6fa57eadac06ad1f0ddd1ae301bac", "title": "Gotta fly: Lazarus targets the UAV sector", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 507510, "plain_text": "Gotta fly: Lazarus targets the UAV sector\r\nBy Peter KálnaiAlexis Rapin\r\nArchived: 2026-04-05 15:11:43 UTC\r\nESET researchers have recently observed a new instance of Operation DreamJob – a campaign that we track under the\r\numbrella of North Korea-aligned Lazarus – in which several European companies active in the defense industry were\r\ntargeted. Some of these are heavily involved in the unmanned aerial vehicle (UAV) sector, suggesting that the operation may\r\nbe linked to North Korea’s current efforts to scale up its drone program. This blogpost discusses the broader geopolitical\r\nimplications of the campaign, and provides a high-level overview of the toolset used by the attackers.\r\nKey points of this blogpost:\r\nLazarus attacks against companies developing UAV technology align with recently reported developments\r\nin the North Korean drone program.\r\nThe suspected primary goal of the attackers was likely the theft of proprietary information and\r\nmanufacturing know-how.\r\nBased on the social-engineering technique used for initial access, trojanizing open-source projects from\r\nGitHub, and the deployment of ScoringMathTea, we consider these attacks to be a new wave of the\r\nOperation DreamJob campaign.\r\nThe group’s most significant evolution is the introduction of new libraries designed for DLL proxying and\r\nthe selection of new open-source projects to trojanize for improved evasion.\r\nProfile of Lazarus and its Operation DreamJob\r\nThe Lazarus group (also known as HIDDEN COBRA) is an APT group linked to North Korea that has been active since at\r\nleast 2009. It is responsible for high-profile incidents such as both the Sony Pictures Entertainment hack and tens-of-millions-of-dollar cyberheists in 2016, the WannaCryptor (aka WannaCry) outbreak in 2017, and a long history of disruptive\r\nattacks against South Korean public and critical infrastructure since at least 2011. The diversity, number, and eccentricity in\r\nimplementation of Lazarus campaigns define this group, as well as that it performs all three pillars of cybercriminal\r\nactivities: cyberespionage, cybersabotage, and pursuit of financial gain.\r\nOperation DreamJob is a codename for Lazarus campaigns that rely primarily on social engineering, specifically using fake\r\njob offers for prestigious or high-profile positions (the “dream job” lure). This name was coined in a 2020 blogpost by\r\nClearSky, and overlaps with campaigns like DeathNote or Operation North Star. Targets are predominantly in the aerospace\r\nand defense sectors, followed by engineering and technology companies and the media and entertainment sector. In these\r\ncampaigns, the attackers usually deploy trojanized open-source plugins for software like Notepad++ and WinMerge that\r\nserve as droppers and loaders, and payloads like ImprudentCook, ScoringMathTea, BlindingCan, miniBlindingCan,\r\nLightlessCan for Windows, and SimplexTea for Linux. The primary goal is cyberespionage, focusing on stealing sensitive\r\ndata, intellectual property, and proprietary information, and the secondary goal is financial gain.\r\nOverview\r\nStarting in late March 2025, we observed in ESET telemetry cyberattacks reminiscent of Operation DreamJob campaigns.\r\nThe in-the-wild attacks successively targeted three European companies active in the defense sector. Although their\r\nactivities are somewhat diverse, these entities can be described as:\r\na metal engineering company (Southeastern Europe),\r\na manufacturer of aircraft components (Central Europe), and\r\na defense company (Central Europe).\r\nAll cases involved droppers that have the interesting internal DLL name, DroneEXEHijackingLoader.dll, which led us down\r\nthe drone segment rabbit hole. Also, initial access was likely achieved via social engineering – an Operation DreamJob\r\nspecialty. The dominant theme is a lucrative but faux job offer with a side of malware: the target receives a decoy document\r\nwith a job description and a trojanized PDF reader to open it.\r\nThe main payload deployed to the targets was ScoringMathTea, a RAT that offers the attackers full control over the\r\ncompromised machine. Its first appearance dates to late 2022, when its dropper was uploaded to VirusTotal. Soon after, it\r\nhttps://www.welivesecurity.com/en/eset-research/gotta-fly-lazarus-targets-uav-sector/\r\nPage 1 of 10\n\nwas seen in the wild, and since then in multiple attacks attributed to Lazarus’ Operation DreamJob campaigns, which makes\r\nit the attacker’s payload of choice for already three years. It uses compromised servers for C\u0026C communication, with the\r\nserver part usually stored under the WordPress folder containing design templates or plugins.\r\nIn summary, we attribute this activity with a high level of confidence to Lazarus, particularly to its campaigns related to\r\nOperation DreamJob, based on the following:\r\nInitial access was obtained by social engineering, convincing the target to execute malware disguised as a job\r\ndescription, in order to succeed in a hiring process.\r\nTrojanizing open-source projects and then crafting their exports to fit the DLL side-loading seems to be an approach\r\nspecific to Operation DreamJob.\r\nThe flagship payload for later stages, ScoringMathTea, was used in multiple similar attacks in the past.\r\nThe targeted sectors, located in Europe, align with the targets of the previous instances of Operation DreamJob\r\n(aerospace, defense, engineering).\r\nGeopolitical context\r\nThe three targeted organizations manufacture different types of military equipment (or parts thereof), many of which are\r\ncurrently deployed in Ukraine as a result of European countries’ military assistance. At the time of Operation DreamJob’s\r\nobserved activity, North Korean soldiers were deployed in Russia, reportedly to help Moscow repel Ukraine’s offensive in\r\nthe Kursk oblast. It is thus possible that Operation DreamJob was interested in collecting sensitive information on some\r\nWestern-made weapons systems currently employed in the Russia-Ukraine war.\r\nMore generally, these entities are involved in the production of types of materiel that North Korea also manufactures\r\ndomestically, and for which it might be hoping to perfect its own designs and processes. In any case, there is no indication\r\nthat the targeted companies supply military equipment to the South Korean armed forces – which could have been another\r\nelement explaining Operation DreamJob’s interest in these companies. Interestingly, however, at least two of these\r\norganizations are clearly involved in the development of UAV technology, with one manufacturing critical drone\r\ncomponents and the other reportedly engaged in the design of UAV-related software.\r\nThe interest in UAV-related know-how is notable, as it echoes recent media reports indicating that Pyongyang is investing\r\nheavily in domestic drone manufacturing capabilities. Although this endeavor can be traced back to more than a decade ago,\r\nmany observers posit that North Korea’s recent experience of modern warfare in the Russia-Ukraine war has only reinforced\r\nPyongyang’s resolution with regard to its drone program. The North Korean regime is now reportedly receiving assistance\r\nfrom Russia to produce its own version of the Iranian-made Shahed suicide drone and is also apparently working on low-cost attack UAVs that could be exported to African or Middle Eastern countries.\r\nAssessing the “drone connection”\r\nIf one thing is clear, it is that North Korea has relied heavily on reverse engineering and intellectual property theft to develop\r\nits domestic UAV capabilities. As recent open-source reports illustrate, North Korea’s current flagship reconnaissance drone,\r\nthe Saetbyol‑4, looks like a carbon copy of the Northrop Grumman RQ‑4 Global Hawk, while its multipurpose combat\r\ndrone, the Saetbyol‑9, bears a striking resemblance to General Atomics’ MQ‑9 Reaper. The fact that both designations\r\nreplicate the number associated with their US equivalent might even be a not-so-subtle nod to that effect. Although these\r\naircrafts’ performance may well differ from those of their US counterparts, there is little doubt that the latter served as a\r\nstrong inspiration for North Korea’s designs.\r\nThis is probably where cybercapabilities enter the fray. While other intelligence resources were likely mobilized by\r\nPyongyang to help copy Western UAVs, there are indications that cyberespionage may have played a role. In recent years,\r\nmultiple campaigns affecting the aerospace sector (including UAV technology specifically) have been attributed to North\r\nKorea-aligned APT groups, with Operation North Star (a campaign presenting some overlap with Operation DreamJob)\r\nbeing one of them. In 2020, ESET researchers documented a similar campaign, which we then named Operation\r\nIn(ter)ception and later attributed to Lazarus with high confidence. As several groups related to Lazarus have been formally\r\nlinked to North Korean intelligence services by US authorities and others, these precedents strongly suggest that\r\ncyberespionage is likely one of the tools leveraged by the regime for reverse engineering Western UAVs – and that groups\r\noperating under the broad Lazarus umbrella are taking an active part in this effort.\r\nIn this context, we believe that it is likely that Operation DreamJob was – at least partially – aimed at stealing proprietary\r\ninformation, and manufacturing know-how, regarding UAVs. The Drone mention observed in one of the droppers\r\nsignificantly reinforces this hypothesis.\r\nhttps://www.welivesecurity.com/en/eset-research/gotta-fly-lazarus-targets-uav-sector/\r\nPage 2 of 10\n\nTo be clear, we can only hypothesize as to the specific kind of information that Operation DreamJob was after. However, we\r\nhave found evidence that one of the targeted entities is involved in the production of at least two UAV models that are\r\ncurrently employed in Ukraine, and which North Korea may have encountered on the frontline. This entity is also involved\r\nin the supply chain of advanced single-rotor drones (i.e., unmanned helicopters), a type of aircraft that Pyongyang is actively\r\ndeveloping but has not proved able to militarize so far. These may be some of the potential motivations behind Operation\r\nDreamJob’s observed activities. More generally, as North Korea is reportedly in the process of building a factory for mass-producing UAVs, it might also be looking for privileged knowledge regarding UAV-related industrial processes and\r\nmanufacturing techniques.\r\nReports from Google’s Mandiant in September 2024 and from Kaspersky in December 2024 describe tools used by Lazarus\r\nin its Operation DreamJob in 2024. In this section, we mention the tools to which the group shifted in Operation DreamJob\r\nin 2025. Based on their position in the execution chain, we distinguish two types of tools: early stages that consist of various\r\ndroppers, loaders, and downloaders; and the main stages that represent payloads like RATs and complex downloaders that\r\ngive the attackers sufficient control over the compromised machine.\r\nBesides the in-the-wild cases seen in ESET telemetry, the activity of the attackers also manifested as VirusTotal submissions\r\noccurring at the same time. A trojanized MuPDF reader, QuanPinLoader, a loader disguised as a Microsoft DirectInput\r\nlibrary (dinput.dll), and a variant of ScoringMathTea were submitted from Italy in April and June 2025; BinMergeLoader\r\nwas submitted in August 2025 from Spain.\r\nDroppers, loaders, and downloaders\r\nGenerally, Lazarus attackers are highly active and deploy their backdoors against multiple targets. This frequent use exposes\r\nthese tools and allows them to become detected. As a countermeasure, the group’s tools are preceded in the execution chain\r\nby a series of droppers, loaders, and simple downloaders. Typically, the loaders used look for the next stage on the file\r\nsystem or in the registry, decrypt it using AES-128 or ChaCha20, and manually load it in memory via the routines\r\nimplemented in the MemoryModule library; a dropper is basically a loader but contains the next stage embedded in its body.\r\nThe main payload, ScoringMathTea in all cases observed, is never present on the disk in unencrypted form. Example\r\nexecution chains are seen in Figure 1. In some cases, the attackers also deployed a complex downloader that we call\r\nBinMergeLoader, which is similar to the MISTPEN malware reported by Google’s Mandiant. BinMergeLoader leverages\r\nthe Microsoft Graph API and uses Microsoft API tokens for authentication.\r\nFigure 1. Examples of 2025 Operation DreamJob execution chains delivering BinMergeLoader and\r\nScoringMathTea\r\nThe attackers decided to incorporate their malicious loading routines into open-source projects available on GitHub. The\r\nchoice of project varies from one attack to another. In 2025, we observed the following malware:\r\nhttps://www.welivesecurity.com/en/eset-research/gotta-fly-lazarus-targets-uav-sector/\r\nPage 3 of 10\n\nTrojanized TightVNC Viewer and MuPDF reader that serve as downloaders.\r\nA trojanized end-of-life libpcre v8.45 library for Windows, serving as a loader.\r\nA loader that has the Mandarin Chinese symbol 样 (yàng in the Pinyin transliteration) as an icon in the resources. It\r\nalso contains the string SampleIMESimplifiedQuanPin.txt, which suggests that it is probably based on the open-source project Sample IME, a TSF-based input method editor demo. We call this QuanPinLoader.\r\nLoaders built from the open-source project DirectX Wrappers.\r\nDownloaders built from open-source plugins for WinMerge (DisplayBinaryFiles and HideFirstLetter). We call the\r\ntwo trojanized plugins BinMergeLoader.\r\nTrojanized open-source plugins for Notepad++, specifically a downloader very similar to BinMergeLoader\r\n(NPPHexEditor v10.0.0 by MacKenzie Cumings) and a dropper of an unknown payload (ComparePlus v1.1.0 by\r\nPavel Nedev). The latter binary contains the PDB path E:\\Work\\Troy\\안정화\\wksprt\\comparePlus-master\\Notepad++\\plugins\\ComparePlus\\ComparePlus.pdb, which suggests the origin of the project (comparePlus-master) and its intended legitimate parent process (wksprt). Also, 안정화 means stable in Korean, which indicates\r\nthat the code was likely properly tested and reliable.\r\nOne of the droppers (SHA-1: 03D9B8F0FCF9173D2964CE7173D21E681DFA8DA4) has the internal DLL name\r\nDroneEXEHijackingLoader.dll and is disguised as a Windows Web Services Runtime library in order to be successfully\r\nside-loaded; see Figure 2. We believe that the substring drone is there to designate both a UAV device and the attacker’s\r\ninternal campaign name.\r\nFigure 2. A dropper with a suspicious internal name and exports from a legitimate Microsoft library\r\nTable 1 shows a typical combination of legitimate executable files (EXEs) and malicious dynamic link libraries (DLLs)\r\ndelivered to the victim’s system (this is analogous to Table 1 in our blogpost on an attack against a Spanish aerospace\r\ncompany in 2023). The DLLs in the third column are either trojanized open-source applications (see the fourth column for\r\nthe underlying project) or a standalone malware binary without such benign context, with a legitimate EXE side-loading it.\r\nThe location folder (the first column) is unusual for such legitimate applications. Malicious DLLs use the DLL proxying\r\ntechnique, in order not to break the execution. Therefore, when a DLL is also a trojanized project, it contains two\r\nheterogeneous types of exports: first the set of functions required for DLL proxying, and second the set of functions\r\nexported from the open-source project.\r\nTable 1. Summary of binaries involved in the attack\r\nLocation folder\r\nLegitimate parent\r\nprocess\r\nMalicious side-loaded DLLTrojanized project\r\n(payload)\r\nN/A wksprt.exe* webservices.dll* ComparePlus v1.1.0 (N/A)\r\n%ALLUSERSPROFILE%\\EMC\\\r\n%ALLUSERSPROFILE%\\Adobe\\\r\nwksprt.exe webservices.dll\r\nStandalone\r\n(ScoringMathTea)\r\nhttps://www.welivesecurity.com/en/eset-research/gotta-fly-lazarus-targets-uav-sector/\r\nPage 4 of 10\n\nLocation folder\r\nLegitimate parent\r\nprocess\r\nMalicious side-loaded DLLTrojanized project\r\n(payload)\r\n%ALLUSERSPROFILE%\\ wkspbroker.exe radcui.dll\r\nDirectX wrappers\r\nd3d8.dll/ddraw.dll\r\n(ScoringMathTea)\r\n%APPDATA%\\Microsoft\\RemoteApp\\ wkspbroker.exe radcui.dll\r\nStandalone\r\n(BinMergeLoader)\r\n* Denotes a VirusTotal submission and its likely parent process. The payload is unknown, since a long command-line\r\nargument is required for its decryption from the trojanized project.\r\nScoringMathTea\r\nScoringMathTea is a complex RAT that supports around 40 commands. Its name is a combination of the root ScoringMath,\r\ntaken from a C\u0026C domain used by an early variant (www.scoringmnmathleague[.]org), and the suffix -Tea, which is ESET\r\nResearch’s designation for a North Korea-aligned payload. It was first publicly documented by Kaspersky in April 2023 and\r\nlater by Microsoft in October 2023 under the name ForestTiger, which follows the internal DLL name or the PDB\r\ninformation found in some samples.\r\nIts first appearance can be traced back to VirusTotal submissions from Portugal and Germany in October 2022, where its\r\ndropper posed as an Airbus-themed job offer lure. The implemented functionality is the usual required by Lazarus:\r\nmanipulation of files and processes, exchanging the configuration, collecting the victim’s system info, opening a TCP\r\nconnection, and executing local commands or new payloads downloaded from the C\u0026C server. The current version does not\r\nshow any dramatic changes in its feature set or its command parsing. So the payload is probably receiving continuous, rather\r\nminor improvements and bug fixes.\r\nRegarding ESET telemetry, ScoringMathTea was seen in attacks against an Indian technology company in January 2023, a\r\nPolish defense company in March 2023, a British industrial automation company in October 2023, and an Italian aerospace\r\ncompany in September 2025. It seems that it is one of the flagship payloads for Operation DreamJob campaigns, even\r\nthough Lazarus has more sophisticated payloads like LightlessCan at its disposal.\r\nConclusion\r\nFor nearly three years, Lazarus has maintained a consistent modus operandi, deploying its preferred main payload,\r\nScoringMathTea, and using similar methods to trojanize open-source applications. This predictable, yet effective, strategy\r\ndelivers sufficient polymorphism to evade security detection, even if it is insufficient to mask the group’s identity and\r\nobscure the attribution process. Also, even with widespread media coverage of Operation DreamJob and its use of social\r\nengineering, the level of employee awareness in sensitive sectors – technology, engineering, and defense – is insufficient to\r\nhandle the potential risks of a suspicious hiring process.\r\nAlthough alternative hypotheses are conceivable, there are good reasons to think that this Operation DreamJob campaign\r\nwas in no small part intended to collect sensitive information on UAV-related technology. Considering North Korea’s current\r\nefforts at scaling up its drone industry and arsenal, it seems likely that other organizations active in this sector will whet the\r\nappetite of North Korea-aligned threat actors in the near future.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIoCs\r\nA comprehensive list of indicators of compromise and samples can be found in our GitHub repository.\r\nFiles\r\nhttps://www.welivesecurity.com/en/eset-research/gotta-fly-lazarus-targets-uav-sector/\r\nPage 5 of 10\n\nSHA-1 Filename Detection Description\r\n28978E987BC59E75CA22\r\n562924EAB93355CF679E\r\nTSMSISrv.dll Win64/NukeSped.TL QuanPinLoader.\r\n5E5BBA521F0034D342CC\r\n26DB8BCFECE57DBD4616\r\nlibmupdf.dll Win64/NukeSped.TE\r\nA loader disguised as a\r\nMuPDF rendering\r\nlibrary v3.3.3.\r\nB12EEB595FEEC2CFBF9A\r\n60E1CC21A14CE8873539\r\nradcui.dll Win64/NukeSped.TO\r\nA dropper disguised as\r\na RemoteApp and\r\nDesktop Connection\r\nUI Component library.\r\n26AA2643B07C48CB6943\r\n150ADE541580279E8E0E\r\nHideFirstLetter\r\n.DLL\r\nWin64/NukeSped.TO BinMergeLoader.\r\n0CB73D70FD4132A4FF54\r\n93DAA84AAE839F6329D5\r\nlibpcre.dll Win64/NukeSped.TP\r\nA loader that is a\r\ntrojanized libpcre\r\nlibrary.\r\n03D9B8F0FCF9173D2964\r\nCE7173D21E681DFA8DA4\r\nwebservices.dll Win64/NukeSped.RN\r\nA dropper disguised as\r\na Microsoft Web\r\nServices Runtime\r\nlibrary.\r\n71D0DDB7C6CAC4BA2BDE\r\n679941FA92A31FBEC1FF\r\nN/A Win64/NukeSped.RN ScoringMathTea.\r\n87B2DF764455164C6982\r\nBA9700F27EA34D3565DF\r\nwebservices.dll Win64/NukeSped.RW\r\nA dropper disguised as\r\na Microsoft Web\r\nServices Runtime\r\nlibrary.\r\nE670C4275EC24D403E0D\r\n4DE7135CBCF1D54FF09C\r\nN/A Win64/NukeSped.RW ScoringMathTea.\r\nB6D8D8F5E0864F5DA788\r\nF96BE085ABECF3581CCE\r\nradcui.dll Win64/NukeSped.TF\r\nA loader disguised as a\r\nRemoteApp and\r\nDesktop Connection\r\nUI Component library.\r\n5B85DD485FD516AA1F44\r\n12801897A40A9BE31837\r\nRCX1A07.tmp Win64/NukeSped.TH\r\nA loader of an\r\nencrypted\r\nScoringMathTea.\r\nB68C49841DC48E367203\r\n1795D85ED24F9F619782\r\nTSMSISrv.dll Win64/NukeSped.TL QuanPinLoader.\r\nAC16B1BAEDE349E48243\r\n35E0993533BF5FC116B3\r\ncache.dat Win64/NukeSped.QK\r\nA decrypted\r\nScoringMathTea RAT.\r\n2AA341B03FAC3054C576\r\n40122EA849BC0C2B6AF6\r\nmsadomr.dll Win64/NukeSped.SP\r\nA loader disguised as a\r\nMicrosoft DirectInput\r\nlibrary.\r\nCB7834BE7DE07F893520\r\n80654F7FEB574B42A2B8\r\nComparePlus.dll Win64/NukeSped.SJ A trojanized\r\nNotepad++ plugin\r\nhttps://www.welivesecurity.com/en/eset-research/gotta-fly-lazarus-targets-uav-sector/\r\nPage 6 of 10\n\nSHA-1 Filename Detection Description\r\ndisguised as a\r\nMicrosoft Web\r\nServices Runtime\r\nlibrary. A dropper\r\nfrom VirusTotal.\r\n262B4ED6AC6A977135DE\r\nCA5B0872B7D6D676083A\r\ntzautosync.dat Win64/NukeSped.RW\r\nA decrypted\r\nScoringMathTea,\r\nstored encrypted on\r\nthe disk.\r\n086816466D9D9C12FCAD\r\nA1C872B8C0FF0A5FC611\r\nN/A Win64/NukeSped.RN ScoringMathTea.\r\n2A2B20FDDD65BA28E7C5\r\n7AC97A158C9F15A61B05\r\ncache.dat Win64/NukeSped.SN\r\nA downloader similar\r\nto BinMergeLoader\r\nbuilt as a trojanized\r\nNPPHexEditor plugin.\r\nNetwork\r\nIP Domain Hosting provider First seen    Details\r\n23.111.133[.]162 coralsunmarine[.]com\r\nHIVELOCITY,\r\nInc.\r\n2024-06-06\r\nScoringMathTea C\u0026C server:\r\nhttps://coralsunmarine[.]com/wp-content/themes/flatsome/inc/functions/function-hand.ph\r\n104.21.80[.]1 kazitradebd[.]com Cloudflare, Inc. 2025-01-11\r\nScoringMathTea C\u0026C server:\r\nhttps://kazitradebd[.]com/wp-content/themes/hello-elementor/includes/customizer/customizer-hand.php\r\n70.32.24[.]131\r\noldlinewoodwork\r\n[.]com\r\nA2 Hosting, Inc. 2024-06-14\r\nScoringMathTea C\u0026C server:\r\nhttps://oldlinewoodwork[.]com/wp-content/themes/zubin/inc/index.php\r\n185.148.129[.]24\r\nwww.mnmathleague\r\n[.]org\r\nA2 Hosting, Inc. 2024-06-15\r\nScoringMathTea C\u0026C server:\r\nhttps://www.mnmathleague[.]org/ckeditor/adapters/inde\r\n66.29.144[.]75 pierregems[.]com Namecheap, Inc. 2024-08-11\r\nScoringMathTea C\u0026C server:\r\nhttps://pierregems[.]com/wp-content/themes/woodmart/inc/configs/js-hand.php\r\n108.181.92[.]71 www.scgestor.com[.]br Psychz Networks 2024-07-15\r\nScoringMathTea C\u0026C server:\r\nhttps://www.scgestor.com[.]br/wp-content/themes/vantage/inc/template-headers.php\r\n104.247.162[.]67 galaterrace[.]com\r\nGNET Internet\r\nTelekomunikasyon\r\nA.S.\r\n2024-06-27\r\nScoringMathTea C\u0026C server:\r\nhttps://galaterrace[.]com/wp-content/themes/hello-elementor/includes/functions.php\r\n193.39.187[.]165 ecudecode[.]mx\r\nHeymman Servers\r\nCorporation\r\n2025-05-14\r\nScoringMathTea C\u0026C server:\r\nhttps://ecudecode[.]mx/redsocial/wp-content/themes/buddyx/inc/Customizer/usercomp.php\r\n172.67.193[.]139 www.anvil.org[.]ph Cloudflare, Inc. 2025-02-22\r\nScoringMathTea C\u0026C server:\r\nhttps://www.anvil.org[.]ph/list/images/index.php\r\n77.55.252[.]111 partnerls[.]pl Nazwa.pl Sp.z.o.o. 2025-06-02\r\nScoringMathTea C\u0026C server:\r\nhttps://partnerls.pl/wp-content/themes/public/index.php\r\nhttps://www.welivesecurity.com/en/eset-research/gotta-fly-lazarus-targets-uav-sector/\r\nPage 7 of 10\n\nIP Domain Hosting provider First seen    Details\r\n45.148.29[.]122\r\ntrainingpharmacist\r\n.co[.]uk\r\nWebdock.io ApS 2024-06-13\r\nScoringMathTea C\u0026C server:\r\nhttps://trainingpharmacist.co.uk/bootstrap/bootstrap.php\r\n75.102.23[.]3\r\nmediostresbarbas\r\n.com[.]ar\r\nDEFT.COM 2024-06-05\r\nScoringMathTea C\u0026C server:\r\nhttps://mediostresbarbas.com[.]ar/php_scrip/banahostin\r\n152.42.239[.]211\r\nwww.bandarpowder\r\n[.]com\r\nDigitalOcean,\r\nLLC\r\n2024-09-19\r\nScoringMathTea C\u0026C server:\r\nhttps://www.bandarpowder[.]com/public/assets/buttons/\r\n95.217.119[.]214 spaincaramoon[.]com\r\nHetzner Online\r\nGmbH\r\n2025-04-30\r\nScoringMathTea C\u0026C server:\r\nhttps://spaincaramoon[.]com/realestate/wp-content/plugins/gravityforms/forward.php\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 17 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1584.004\r\nCompromise Infrastructure:\r\nServer\r\nScoringMathTea uses compromised servers for\r\nC\u0026C.\r\nT1587.001 Develop Capabilities: Malware\r\nAll stages in the attack were likely developed by\r\nthe attackers.\r\nExecution\r\nT1106 Native API\r\nWindows APIs are essential for ScoringMathTea\r\nto function and are resolved dynamically at\r\nruntime.\r\nT1129 Shared Modules\r\nScoringMathTea is able to load a downloaded\r\nDLL with the exports fun00 or exportfun00.\r\nT1204.002 User Execution: Malicious File\r\nLazarus attackers relied on the execution of\r\ntrojanized PDF readers.\r\nPersistence T1574.002\r\nHijack Execution Flow: DLL\r\nSide-Loading\r\nTrojanized droppers (webservices.dll, radcui.dll)\r\nuse legitimate programs (wksprt.exe,\r\nwkspbroker.exe) for their loading.\r\nDefense\r\nEvasion T1134.002\r\nAccess Token Manipulation:\r\nCreate Process with Token\r\nScoringMathTea can create a new process in the\r\nsecurity context of the user represented by a\r\nspecified token.\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nThe main payload, ScoringMathTea, is always\r\nencrypted on the file system.\r\nhttps://www.welivesecurity.com/en/eset-research/gotta-fly-lazarus-targets-uav-sector/\r\nPage 8 of 10\n\nT1027.007\r\nObfuscated Files or\r\nInformation: Dynamic API\r\nResolution\r\nScoringMathTea resolves Windows APIs\r\ndynamically.\r\nT1027.009\r\nObfuscated Files or\r\nInformation: Embedded\r\nPayloads\r\nThe droppers of all malicious chains contain an\r\nembedded data array with an additional stage.\r\nT1620 Reflective Code Loading\r\nThe droppers and loaders use reflective DLL\r\ninjection.\r\nT1055 Process Injection\r\nScoringMathTea and BinMergeLoader can\r\nreflectively load a DLL in the process specified\r\nby the PID.\r\nDiscovery\r\nT1083 File and Directory Discovery ScoringMathTea can locate a file by its name.\r\nT1057 Process Discovery ScoringMathTea can list all running processes.\r\nT1082 System Information Discovery ScoringMathTea can mimic the ver command.\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nScoringMathTea and BinMergeLoader use\r\nHTTP and HTTPS for C\u0026C.\r\nT1573.001\r\nEncrypted Channel: Symmetric\r\nCryptography\r\nScoringMathTea encrypts C\u0026C traffic using the\r\nIDEA algorithm and BinMergeLoader using the\r\nAES algorithm.\r\nT1132.001\r\nData Encoding: Standard\r\nEncoding\r\nScoringMathTea adds a base64-encoding layer\r\nto its encrypted C\u0026C traffic.\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nScoringMathTea can exfiltrate data to its C\u0026C\r\nserver.\r\nhttps://www.welivesecurity.com/en/eset-research/gotta-fly-lazarus-targets-uav-sector/\r\nPage 9 of 10\n\nSource: https://www.welivesecurity.com/en/eset-research/gotta-fly-lazarus-targets-uav-sector/\r\nhttps://www.welivesecurity.com/en/eset-research/gotta-fly-lazarus-targets-uav-sector/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.welivesecurity.com/en/eset-research/gotta-fly-lazarus-targets-uav-sector/" ], "report_names": [ "gotta-fly-lazarus-targets-uav-sector" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434607, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/520c03e377f6fa57eadac06ad1f0ddd1ae301bac.pdf", "text": "https://archive.orkl.eu/520c03e377f6fa57eadac06ad1f0ddd1ae301bac.txt", "img": "https://archive.orkl.eu/520c03e377f6fa57eadac06ad1f0ddd1ae301bac.jpg" } }