Brinztech Alert: Lazarus Group’s “ScoringMathTea” RAT Targets UAV Sector in “Gotta Fly” Campaign

Dark Web News Analysis

A detailed technical analysis released on November 17, 2025, by malware researchers (0x0d4y) has exposed the inner workings of ScoringMathTea, the flagship Remote Access Trojan (RAT) used in the Lazarus Group’s new “Gotta Fly” campaign. This campaign, first identified by ESET in October 2025, targets Unmanned Aerial Vehicle (UAV) manufacturers and defense contractors.

This is a critical nation-state espionage event. The Lazarus Group (North Korea) is shifting focus from financial theft to strategic military intelligence. The targets are specifically companies providing UAV technology to Ukraine. The likely goal is two-fold: to support Russia’s war effort with stolen intel and to accelerate North Korea’s own domestic drone program by reverse-engineering Western technology.

Key Cybersecurity Insights

The analysis of ScoringMathTea reveals a highly sophisticated, modular toolkit designed for long-term stealth:

• Fileless “Reflective” Loading: The malware’s core capability is a manual Windows loader that downloads and executes malicious plugins (DLLs) directly in memory. It never writes these files to the disk, making it invisible to traditional file-based antivirus.
• Anti-Forensics & Evasion: The malware uses “PEB Walking” to find system functions without triggering API monitoring hooks. It also employs API Hashing (resolving functions via a custom hash rather than names) and Stack Strings to hide its capabilities from static analysis tools.
• Custom Cryptography: Command and Control (C2) traffic is protected by three layers: compression, a custom TEA/XTEA encryption algorithm in CBC mode, and Base64 encoding. It also filters out HTML “garbage” (like captive portals) to ensure it only processes valid commands.
• Operational Security: The malware spoofs legitimate browser User-Agents (Chrome/Edge) to blend in with normal corporate traffic and calculates internal checksums (CRC32) to detect if security analysts are trying to debug it.

Mitigation Strategies

In response to this advanced threat, defense contractors and high-tech manufacturers must adopt a layered defense:

• Deploy Behavioral Monitoring (EDR/XDR): Static signatures will fail against ScoringMathTea’s fileless execution. Organizations must rely on Endpoint Detection and Response (EDR) tools that monitor behavior (e.g., a process manually mapping memory or making unusual network calls) rather than file hashes.
• Implement Memory Scanning: Security tools must be configured to periodically scan volatile memory (RAM) for unbacked executable code, which is the signature of a reflective DLL injection attack.
• Network Segmentation & Traffic Analysis: Isolate R&D and manufacturing networks. Monitor for the specific encrypted C2 traffic patterns (even over HTTP/S) associated with Lazarus, rather than just blocking known bad IPs.
• Threat Hunting with YARA: Utilize the specific YARA rules released by researchers to hunt for traces of ScoringMathTea’s custom string decryption and API hashing algorithms within your environment.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com