ESET researchers have lately seen a brand new example of Operation DreamJob – a marketing campaign that we observe below the umbrella of North Korea-aligned Lazarus – through which a number of Eu corporations lively within the protection trade have been focused. A few of these are closely concerned within the unmanned aerial car (UAV) sector, suggesting that the operation is also connected to North Korea’s present efforts to scale up its drone program. This blogpost discusses the wider geopolitical implications of the marketing campaign, and gives a high-level review of the toolset utilized by the attackers.
Key issues of this blogpost:
- Lazarus assaults towards corporations growing UAV generation align with lately reported tendencies within the North Korean drone program.
- The suspected number one function of the attackers was once most probably the robbery of proprietary data and production expertise.
- In line with the social-engineering method used for preliminary get entry to, trojanizing open-source tasks from GitHub, and the deployment of ScoringMathTea, we believe those assaults to be a brand new wave of the Operation DreamJob marketing campaign.
- The gang’s most vital evolution is the advent of recent libraries designed for DLL proxying and the choice of new open-source tasks to trojanize for progressed evasion.
Profile of Lazarus and its Operation DreamJob
The Lazarus crew (sometimes called HIDDEN COBRA) is an APT crew connected to North Korea that has been lively since no less than 2009. It’s chargeable for high-profile incidents corresponding to each the Sony Footage Leisure hack and tens-of-millions-of-dollar cyberheists in 2016, the WannaCryptor (aka WannaCry) outbreak in 2017, and a protracted historical past of disruptive assaults towards South Korean public and important infrastructure since no less than 2011. The range, quantity, and eccentricity in implementation of Lazarus campaigns outline this crew, in addition to that it plays all 3 pillars of cybercriminal actions: cyberespionage, cybersabotage, and pursuit of economic acquire.
Operation DreamJob is a codename for Lazarus campaigns that depend totally on social engineering, particularly the usage of faux activity gives for prestigious or high-profile positions (the “dream activity” entice). This title was once coined in a 2020 blogpost through ClearSky, and overlaps with campaigns like DeathNote or Operation North Superstar. Goals are predominantly within the aerospace and protection sectors, adopted through engineering and generation corporations and the media and leisure sector. In those campaigns, the attackers normally deploy trojanized open-source plugins for tool like Notepad++ and WinMerge that function droppers and loaders, and payloads like ImprudentCook, ScoringMathTea, BlindingCan, miniBlindingCan, LightlessCan for Home windows, and SimplexTea for Linux. The principle function is cyberespionage, specializing in stealing delicate information, highbrow assets, and proprietary data, and the secondary function is monetary acquire.
Evaluate
Beginning in past due March 2025, we seen in ESET telemetry cyberattacks paying homage to Operation DreamJob campaigns. The in-the-wild assaults successively focused 3 Eu corporations lively within the protection sector. Even though their actions are fairly numerous, those entities will also be described as:
- a steel engineering corporate (Southeastern Europe),
- a producer of airplane parts (Central Europe), and
- a protection corporate (Central Europe).
All instances concerned droppers that experience the fascinating interior DLL title, DroneEXEHijackingLoader.dll, which led us down the drone section rabbit hollow. Additionally, preliminary get entry to was once most probably accomplished by the use of social engineering – an Operation DreamJob strong point. The dominant theme is a profitable however pretend activity be offering with an aspect of malware: the objective receives a decoy file with a task description and a trojanized PDF reader to open it.
The primary payload deployed to the goals was once ScoringMathTea, a RAT that gives the attackers complete keep watch over over the compromised device. Its first look dates to past due 2022, when its dropper was once uploaded to VirusTotal. Quickly after, it was once noticed within the wild, and because then in more than one assaults attributed to Lazarus’ Operation DreamJob campaigns, which makes it the attacker’s payload of selection for already 3 years. It makes use of compromised servers for C&C verbal exchange, with the server section normally saved below the WordPress folder containing design templates or plugins.
In abstract, we characteristic this task with a excessive point of self assurance to Lazarus, specifically to its campaigns associated with Operation DreamJob, in line with the next:
- Preliminary get entry to was once bought through social engineering, convincing the objective to execute malware disguised as a task description, with a view to reach a hiring procedure.
- Trojanizing open-source tasks after which crafting their exports to suit the DLL side-loading appears to be an method explicit to Operation DreamJob.
- The flagship payload for later phases, ScoringMathTea, was once utilized in more than one an identical assaults prior to now.
- The focused sectors, positioned in Europe, align with the goals of the former circumstances of Operation DreamJob (aerospace, protection, engineering).
Geopolitical context
The 3 focused organizations manufacture various kinds of army apparatus (or portions thereof), a lot of which can be recently deployed in Ukraine on account of Eu nations’ army help. On the time of Operation DreamJob’s seen task, North Korean squaddies have been deployed in Russia, reportedly to assist Moscow repel Ukraine’s offensive within the Kursk oblast. It’s thus imaginable that Operation DreamJob was once involved in amassing delicate data on some Western-made guns techniques recently hired within the Russia-Ukraine struggle.
Extra usually, those entities are concerned within the manufacturing of varieties of materiel that North Korea additionally manufactures regionally, and for which it may well be hoping to highest its personal designs and processes. After all, there’s no indication that the focused corporations provide army apparatus to the South Korean military – which can have been any other component explaining Operation DreamJob’s passion in those corporations. Apparently, on the other hand, no less than two of those organizations are obviously concerned within the construction of UAV generation, with one production important drone parts and the opposite reportedly engaged within the design of UAV-related tool.
The passion in UAV-related expertise is notable, because it echoes contemporary media reviews indicating that Pyongyang is making an investment closely in home drone production features. Even though this undertaking will also be traced again to greater than a decade in the past, many observers posit that North Korea’s contemporary revel in of recent struggle within the Russia-Ukraine struggle has most effective strengthened Pyongyang’s answer in regards to its drone program. The North Korean regime is now reportedly receiving the aid of Russia to supply its personal model of the Iranian-made Shahed suicide drone and could also be it appears operating on low cost assault UAVs which may be exported to African or Heart Japanese nations.
Assessing the “drone connection”
If something is apparent, it’s that North Korea has relied closely on opposite engineering and highbrow assets robbery to broaden its home UAV features. As contemporary open-source reviews illustrate, North Korea’s present flagship reconnaissance drone, the Saetbyol‑4, seems like a carbon reproduction of the Northrop Grumman RQ‑4 World Hawk, whilst its multipurpose struggle drone, the Saetbyol‑9, bears a hanging resemblance to Common Atomics’ MQ‑9 Reaper. The truth that each designations reflect the quantity related to their US identical may also be a not-so-subtle nod to that impact. Even though those aircrafts’ efficiency would possibly neatly fluctuate from the ones in their US opposite numbers, there’s no doubt that the latter served as a robust inspiration for North Korea’s designs.
That is more than likely the place cybercapabilities input the fray. Whilst different intelligence sources have been most probably mobilized through Pyongyang to assist reproduction Western UAVs, there are indications that cyberespionage can have performed a task. Lately, more than one campaigns affecting the aerospace sector (together with UAV generation particularly) were attributed to North Korea-aligned APT teams, with Operation North Superstar (a marketing campaign presenting some overlap with Operation DreamJob) being one in all them. In 2020, ESET researchers documented a an identical marketing campaign, which we then named Operation In(ter)ception and later attributed to Lazarus with excessive self assurance. As a number of teams associated with Lazarus were officially connected to North Korean intelligence services and products through US government and others, those precedents strongly recommend that cyberespionage is one of the gear leveraged through the regime for opposite engineering Western UAVs – and that teams working below the wide Lazarus umbrella are taking an lively section on this effort.
On this context, we consider that it’s most probably that Operation DreamJob was once – no less than in part – aimed toward stealing proprietary data, and production expertise, referring to UAVs. The Drone point out seen in probably the most droppers considerably reinforces this speculation.
To be transparent, we will be able to most effective hypothesize as to the precise roughly data that Operation DreamJob was once after. Alternatively, we’ve discovered proof that probably the most focused entities is concerned within the manufacturing of no less than two UAV fashions which are recently hired in Ukraine, and which North Korea can have encountered at the frontline. This entity could also be concerned within the provide chain of complex single-rotor drones (i.e., unmanned helicopters), one of those airplane that Pyongyang is actively growing however has no longer proved ready to militarize up to now. Those is also one of the vital attainable motivations at the back of Operation DreamJob’s seen actions. Extra usually, as North Korea is reportedly within the procedure of creating a manufacturing unit for mass-producing UAVs, it may additionally be searching for privileged wisdom referring to UAV-related commercial processes and production ways.
Toolset
Experiences from Google’s Mandiant in September 2024 and from Kaspersky in December 2024 describe gear utilized by Lazarus in its Operation DreamJob in 2024. On this phase, we point out the gear to which the gang shifted in Operation DreamJob in 2025. In line with their place within the execution chain, we distinguish two varieties of gear: early phases that encompass more than a few droppers, loaders, and downloaders; and the primary phases that constitute payloads like RATs and complicated downloaders that give the attackers enough keep watch over over the compromised device.
But even so the in-the-wild instances noticed in ESET telemetry, the task of the attackers additionally manifested as VirusTotal submissions happening on the identical time. A trojanized MuPDF reader, QuanPinLoader, a loader disguised as a Microsoft DirectInput library (dinput.dll), and a variant of ScoringMathTea have been submitted from Italy in April and June 2025; BinMergeLoader was once submitted in August 2025 from Spain.
Droppers, loaders, and downloaders
Usually, Lazarus attackers are extremely lively and deploy their backdoors towards more than one goals. This widespread use exposes those gear and permits them to turn out to be detected. As a countermeasure, the gang’s gear are preceded within the execution chain through a sequence of droppers, loaders, and easy downloaders. Normally, the loaders used search for the following level at the document machine or within the registry, decrypt it the usage of AES-128 or ChaCha20, and manually load it in reminiscence by the use of the routines applied within the MemoryModule library; a dropper is mainly a loader however accommodates the following level embedded in its frame. The primary payload, ScoringMathTea in all instances seen, isn’t provide at the disk in unencrypted shape. Instance execution chains are noticed in Determine 1. In some instances, the attackers additionally deployed a posh downloader that we name BinMergeLoader, which has similarities to the MISTPEN malware reported through Google’s Mandiant. BinMergeLoader leverages the Microsoft Graph API and makes use of Microsoft API tokens for authentication.
The attackers made up our minds to include their malicious loading routines into open-source tasks to be had on GitHub. The collection of challenge varies from one assault to any other. In 2025, we seen the next malware:
- Trojanized TightVNC Viewer and MuPDF reader that function downloaders.
- A trojanized end-of-life libpcre v8.45 library for Home windows, serving as a loader.
- A loader that has the Mandarin Chinese language image 样 (yàng within the Pinyin transliteration) as an icon within the sources. It additionally accommodates the string SampleIMESimplifiedQuanPin.txt, which means that it’s more than likely in line with the open-source challenge Pattern IME, a TSF-based enter means editor demo. We name this QuanPinLoader.
- Loaders constructed from the open-source challenge DirectX Wrappers.
- Downloaders constructed from open-source plugins for WinMerge (DisplayBinaryFiles and HideFirstLetter). We name the 2 trojanized plugins BinMergeLoader.
- Trojanized open-source plugins for Notepad++, particularly a downloader similar to BinMergeLoader (NPPHexEditor v10.0.0 through MacKenzie Cumings) and a dropper of an unknown payload (ComparePlus v1.1.0 through Pavel Nedev). The latter binary accommodates the PDB trail E:WorkTroy안정화wksprtcomparePlus-masterNotepad++pluginsComparePlusComparePlus.pdb, which means the beginning of the challenge (comparePlus-master) and its meant reputable father or mother procedure (wksprt). Additionally, 안정화 way strong in Korean, which signifies that the code was once most probably correctly examined and dependable.
One of the crucial droppers (SHA-1: 03D9B8F0FCF9173D2964CE7173D21E681DFA8DA4) has the inner DLL title DroneEXEHijackingLoader.dll and is disguised as a Home windows Internet Products and services Runtime library with a view to be effectively side-loaded; see Determine 2. We consider that the substring drone is there to designate each a UAV instrument and the attacker’s interior marketing campaign title.
Desk 1 displays a regular aggregate of reputable executable recordsdata (EXEs) and malicious dynamic hyperlink libraries (DLLs) dropped at the sufferer’s machine (that is analogous to Desk 1 in our blogpost on an assault towards a Spanish aerospace corporate in 2023). The DLLs within the 3rd column are both trojanized open-source packages (see the fourth column for the underlying challenge) or a standalone malware binary with out such benign context, with a sound EXE side-loading it. The positioning folder (the primary column) is odd for such reputable packages. Malicious DLLs use the DLL proxying method, so as to not ruin the execution. Subsequently, when a DLL could also be a trojanized challenge, it accommodates two heterogeneous varieties of exports: first the set of purposes required for DLL proxying, and 2nd the set of purposes exported from the open-source challenge.
Desk 1. Abstract of binaries concerned within the assault
| Location folder | Legit father or mother procedure | Malicious side-loaded DLL | Trojanized challenge (payload) |
| N/A | wksprt.exe* | webservices |
ComparePlus v1.1.0 (N/A) |
|
%ALLUSERSPROFILEpercentEMC %ALLUSERSPROFILEpercentAdobe |
wksprt.exe | webservices |
Standalone (ScoringMathTea) |
| %ALLUSERSPROFILE% | wkspbroker.exe | radcui.dll | DirectX wrappers d3d8.dll/ddraw.dll (ScoringMathTea) |
| %APPDATApercentMicrosoftRemoteApp | wkspbroker.exe | radcui.dll | Standalone (BinMergeLoader) |
* Denotes a VirusTotal submission and its most probably father or mother procedure. The payload is unknown, since a protracted command-line argument is needed for its decryption from the trojanized challenge.
ScoringMathTea
ScoringMathTea is a posh RAT that helps round 40 instructions. Its title is a mix of the basis ScoringMath, taken from a C&C area utilized by an early variant (www.scoringmnmathleague[.]org), and the suffix -Tea, which is ESET Analysis’s designation for a North Korea-aligned payload. It was once first publicly documented through Kaspersky in April 2023 and later through Microsoft in October 2023 below the title ForestTiger, which follows the inner DLL title or the PDB data present in some samples.
Its first look will also be traced again to VirusTotal submissions from Portugal and Germany in October 2022, the place its dropper posed as an Airbus-themed activity be offering entice. The applied capability is the standard required through Lazarus: manipulation of recordsdata and processes, exchanging the configuration, amassing the sufferer’s machine data, opening a TCP connection, and executing native instructions or new payloads downloaded from the C&C server. The present model does no longer display any dramatic adjustments in its characteristic set or its command parsing. So the payload is more than likely receiving steady, quite minor enhancements and insect fixes.
Referring to ESET telemetry, ScoringMathTea was once noticed in assaults towards an Indian generation corporate in January 2023, a Polish protection corporate in March 2023, a British commercial automation corporate in October 2023, and an Italian aerospace corporate in September 2025. It sort of feels that it is likely one of the flagship payloads for Operation DreamJob campaigns, despite the fact that Lazarus has extra refined payloads like LightlessCan at its disposal.
Conclusion
For almost 3 years, Lazarus has maintained a constant modus operandi, deploying its most popular primary payload, ScoringMathTea, and the usage of an identical tips on how to trojanize open-source packages. This predictable, but efficient, technique delivers enough polymorphism to evade safety detection, even supposing it’s inadequate to masks the gang’s id and difficult to understand the attribution procedure. Additionally, even with fashionable media protection of Operation DreamJob and its use of social engineering, the extent of worker consciousness in delicate sectors – generation, engineering, and protection – is inadequate to care for the prospective dangers of a suspicious hiring procedure.
Even though choice hypotheses are possible, there are just right causes to suppose that this Operation DreamJob marketing campaign was once in no small section meant to gather delicate data on UAV-related generation. Taking into consideration North Korea’s present efforts at scaling up its drone trade and arsenal, it sort of feels most probably that different organizations lively on this sector will whet the urge for food of North Korea-aligned risk actors within the close to long term.
For any inquiries about our analysis revealed on WeLiveSecurity, please touch us at threatintel@eset.com.ESET Analysis gives non-public APT intelligence reviews and knowledge feeds. For any inquiries about this provider, talk over with the ESET Danger Intelligence web page.
IoCs
A complete listing of signs of compromise and samples will also be present in our GitHub repository.
Recordsdata
SHA-1
Filename
Detection
Description
28978E987BC59E75CA22
TSMSISrv.dll
Win64/NukeSped.TL
QuanPinLoader.
5E5BBA521F0034D342CC
libmupdf.dll
Win64/NukeSped.TE
A loader disguised as a MuPDF rendering library v3.3.3.
B12EEB595FEEC2CFBF9A
radcui.dll
Win64/NukeSped.TO
A dropper disguised as a RemoteApp and Desktop Connection UI Part library.
26AA2643B07C48CB6943
HideFirstLetter
Win64/NukeSped.TO
BinMergeLoader.
0CB73D70FD4132A4FF54
libpcre.dll
Win64/NukeSped.TP
A loader that may be a trojanized libpcre library.
03D9B8F0FCF9173D2964
webservices.dll
Win64/NukeSped.RN
A dropper disguised as a Microsoft Internet Products and services Runtime library.
71D0DDB7C6CAC4BA2BDE
N/A
Win64/NukeSped.RN
ScoringMathTea.
87B2DF764455164C6982
webservices.dll
Win64/NukeSped.RW
A dropper disguised as a Microsoft Internet Products and services Runtime library.
E670C4275EC24D403E0D
N/A
Win64/NukeSped.RW
ScoringMathTea.
B6D8D8F5E0864F5DA788
radcui.dll
Win64/NukeSped.TF
A loader disguised as a RemoteApp and Desktop Connection UI Part library.
5B85DD485FD516AA1F44
RCX1A07.tmp
Win64/NukeSped.TH
A loader of an encrypted ScoringMathTea.
B68C49841DC48E367203
TSMSISrv.dll
Win64/NukeSped.TL
QuanPinLoader.
AC16B1BAEDE349E48243
cache.dat
Win64/NukeSped.QK
A decrypted ScoringMathTea RAT.
2AA341B03FAC3054C576
msadomr.dll
Win64/NukeSped.SP
A loader disguised as a Microsoft DirectInput library.
CB7834BE7DE07F893520
ComparePlus.dll
Win64/NukeSped.SJ
A trojanized Notepad++ plugin disguised as a Microsoft Internet Products and services Runtime library. A dropper from VirusTotal.
262B4ED6AC6A977135DE
tzautosync.dat
Win64/NukeSped.RW
A decrypted ScoringMathTea, saved encrypted at the disk.
086816466D9D9C12FCAD
N/A
Win64/NukeSped.RN
ScoringMathTea.
2A2B20FDDD65BA28E7C5
cache.dat
Win64/NukeSped.SN
A downloader very similar to BinMergeLoader constructed as a trojanized NPPHexEditor plugin.
Community
| IP | Area | Web hosting supplier | First noticed | Main points |
| 23.111.133[.]162 | coralsunmarine[.]com | HIVELOCITY, Inc. | 2024-06-06 | ScoringMathTea C&C server: https://coralsunmarine[.]com/wp-content/subject matters/flatsome/inc/purposes/function-hand.php |
| 104.21.80[.]1 | kazitradebd[.]com | Cloudflare, Inc. | 2025-01-11 | ScoringMathTea C&C server: https://kazitradebd[.]com/wp-content/subject matters/hello-elementor/comprises/customizer/customizer-hand.php |
| 70.32.24[.]131 | oldlinewoodwork |
A2 Web hosting, Inc. | 2024-06-14 | ScoringMathTea C&C server: https://oldlinewoodwork[.]com/wp-content/subject matters/zubin/inc/index.php |
| 185.148.129[.]24 | www.mnmathleague |
A2 Web hosting, Inc. | 2024-06-15 | ScoringMathTea C&C server: https://www.mnmathleague[.]org/ckeditor/adapters/index.php |
| 66.29.144[.]75 | pierregems[.]com | Namecheap, Inc. | 2024-08-11 | ScoringMathTea C&C server: https://pierregems[.]com/wp-content/subject matters/woodmart/inc/configs/js-hand.php |
| 108.181.92[.]71 | www.scgestor.com[.]br | Psychz Networks | 2024-07-15 | ScoringMathTea C&C server: https://www.scgestor.com[.]br/wp-content/subject matters/vantage/inc/template-headers.php |
| 104.247.162[.]67 | galaterrace[.]com | GNET Web Telekomunikasyon A.S. | 2024-06-27 | ScoringMathTea C&C server: https://galaterrace[.]com/wp-content/subject matters/hello-elementor/comprises/purposes.php |
| 193.39.187[.]165 | ecudecode[.]mx | Heymman Servers Company | 2025-05-14 | ScoringMathTea C&C server: https://ecudecode[.]mx/redsocial/wp-content/subject matters/buddyx/inc/Customizer/usercomp.php |
| 172.67.193[.]139 | www.anvil.org[.]ph | Cloudflare, Inc. | 2025-02-22 | ScoringMathTea C&C server: https://www.anvil.org[.]ph/listing/pictures/index.php |
| 77.55.252[.]111 | partnerls[.]pl | Nazwa.pl Sp.z.o.o. | 2025-06-02 | ScoringMathTea C&C server: https://partnerls.pl/wp-content/subject matters/public/index.php |
| 45.148.29[.]122 | trainingpharmacist |
Webdock.io ApS | 2024-06-13 | ScoringMathTea C&C server: https://trainingpharmacist.co.united kingdom/bootstrap/bootstrap.php |
| 75.102.23[.]3 | mediostresbarbas |
DEFT.COM | 2024-06-05 | ScoringMathTea C&C server: https://mediostresbarbas.com[.]ar/php_scrip/banahosting/index.php |
| 152.42.239[.]211 | www.bandarpowder |
DigitalOcean, LLC | 2024-09-19 | ScoringMathTea C&C server: https://www.bandarpowder[.]com/public/property/buttons/bootstrap.php |
| 95.217.119[.]214 | spaincaramoon |
Hetzner On-line GmbH | 2025-04-30 | ScoringMathTea C&C server: https://spaincaramoon[.]com/realestate/wp-content/plugins/gravityforms/ahead.php |
MITRE ATT&CK ways
This desk was once constructed the usage of model 17 of the MITRE ATT&CK framework.
|
Tactic |
ID |
Title |
Description |
|
Useful resource Construction |
T1584.004 |
Compromise Infrastructure: Server |
ScoringMathTea makes use of compromised servers for C&C. |
|
T1587.001 |
Increase Features: Malware |
All phases within the assault have been most probably evolved through the attackers. |
|
|
Execution |
T1106 |
Local API |
Home windows APIs are very important for ScoringMathTea to operate and are resolved dynamically at runtime. |
|
T1129 |
Shared Modules |
ScoringMathTea is in a position to load a downloaded DLL with the exports fun00 or exportfun00. |
|
|
T1204.002 |
Consumer Execution: Malicious Report |
Lazarus attackers relied at the execution of trojanized PDF readers. |
|
|
Patience |
T1574.002 |
Hijack Execution Float: DLL Facet-Loading |
Trojanized droppers (webservices.dll, radcui.dll) use reputable systems (wksprt.exe, wkspbroker.exe) for his or her loading. |
|
Protection Evasion |
T1134.002 |
Get entry to Token Manipulation: Create Procedure with Token |
ScoringMathTea can create a brand new procedure within the safety context of the consumer represented through a specified token. |
|
T1140 |
Deobfuscate/Decode Recordsdata or Knowledge |
The primary payload, ScoringMathTea, is at all times encrypted at the document machine. |
|
|
T1027.007 |
Obfuscated Recordsdata or Knowledge: Dynamic API Solution |
ScoringMathTea resolves Home windows APIs dynamically. |
|
|
T1027.009 |
Obfuscated Recordsdata or Knowledge: Embedded Payloads |
The droppers of all malicious chains include an embedded information array with an extra level. |
|
|
T1620 |
Reflective Code Loading |
The droppers and loaders use reflective DLL injection. |
|
|
T1055 |
Procedure Injection |
ScoringMathTea and BinMergeLoader can reflectively load a DLL within the procedure laid out in the PID. |
|
|
Discovery |
T1083 |
Report and Listing Discovery |
ScoringMathTea can find a document through its title. |
|
T1057 |
Procedure Discovery |
ScoringMathTea can listing all working processes. |
|
|
T1082 |
Gadget Knowledge Discovery |
ScoringMathTea can mimic the ver command. |
|
|
Command and Keep watch over |
T1071.001 |
Software Layer Protocol: Internet Protocols |
ScoringMathTea and BinMergeLoader use HTTP and HTTPS for C&C. |
|
T1573.001 |
Encrypted Channel: Symmetric Cryptography |
ScoringMathTea encrypts C&C visitors the usage of the IDEA set of rules and BinMergeLoader the usage of the AES set of rules. |
|
|
T1132.001 |
Information Encoding: Usual Encoding |
ScoringMathTea provides a base64-encoding layer to its encrypted C&C visitors. |
|
|
Exfiltration |
T1041 |
Exfiltration Over C2 Channel |
ScoringMathTea can exfiltrate information to its C&C server. |
