ScoringMathTea is a sophisticated remote access trojan (RAT) that grants attackers complete control over infected Windows computers. First discovered in late 2022 and actively deployed since then, this malware has become the signature payload for a North Korean threat group known as Lazarus, particularly in their Operation DreamJob campaigns targeting corporate employees. Unlike everyday malware that spreads randomly, ScoringMathTea represents a deliberate, targeted threat designed to establish persistent backdoor access to business networks and personal systems.

ScoringMathTea — cybersecurity illustration
Photo by cottonbro studio on Pexels

If you're in the Roswell area and suspect your computer has been compromised, we've helped dozens of local businesses and homeowners remove persistent threats like this. Here's what you need to know about ScoringMathTea—and how to get it off your machine.

Think you're infected right now? Disconnect your computer from the internet immediately by unplugging your Ethernet cable or disabling Wi-Fi. Do not log into any financial accounts, email, or work systems until the infection is confirmed and removed. If this is a work computer, contact your IT department immediately. For personal machines in the Roswell area, call us at Computer Repair Roswell—we can often schedule same-day diagnostics.

Threat Profile

Attribute Details
Threat Name ScoringMathTea
Threat Type Remote Access Trojan (RAT)
Platform Windows (PE executable)
First Seen Late 2022 (first VirusTotal upload)
Attribution Lazarus Group (North Korean APT), Operation DreamJob campaigns
Distribution Method Social engineering via fake job offers, compromised WordPress sites
Payload Capability Full remote control, keylogging, file exfiltration, lateral movement
C&C Infrastructure Compromised legitimate servers, typically in WordPress template/plugin directories
Target Profile Corporate employees (aerospace, defense, cryptocurrency, technology sectors), high-value individuals
Persistence Mechanism Registry run keys, scheduled tasks, service installation (methods vary)
Detection Difficulty High (uses legitimate infrastructure, advanced evasion techniques)
Data at Risk Credentials, financial data, intellectual property, communication records, network access

How It Spreads

ScoringMathTea doesn't spread through random spam or drive-by downloads like typical consumer malware. The Lazarus Group deploys it through highly targeted social engineering campaigns, most notably their Operation DreamJob scheme. In these attacks, cybercriminals impersonate recruiters from prestigious companies—think major tech firms, aerospace contractors, or cryptocurrency exchanges—and reach out to specific individuals via LinkedIn, email, or professional networking platforms with compelling job opportunities.

The initial contact appears legitimate: professional messaging, realistic job descriptions, and what looks like standard hiring process documents. Victims are typically asked to download and review a "job description" or complete a "coding challenge" that comes as a PDF or document file. However, these files are actually disguised droppers—specialized malware designed to silently install ScoringMathTea on the target's system. Some variants use malicious Visual Studio projects or development environment files to appeal specifically to software engineers and developers, who are less likely to be suspicious of such file types in a recruitment context.

Common distribution vectors include:

  • Weaponized PDF documents sent via email from fake recruiter accounts
  • Trojanized Visual Studio project files containing "coding assessments" or "take-home challenges"
  • Malicious ZIP archives labeled as application forms or company information packages
  • Compromised legitimate websites hosting the dropper, often on hacked WordPress installations
  • Direct messaging on professional networks (LinkedIn, GitHub) with links to external resources
  • Follow-up email campaigns after initial contact establishes trust with the victim

What makes this particularly dangerous is the patient, multi-step approach. Attackers often engage in conversation over days or weeks, building credibility before delivering the malicious payload. By the time the victim downloads the infected file, they've been psychologically primed to trust the source.

What It Does On Your Machine

Once ScoringMathTea establishes itself on your system, it functions as a comprehensive remote access toolkit that gives attackers essentially the same control over your computer that you have when sitting at the keyboard. The malware operates quietly in the background, with no visible windows or obvious system slowdowns to alert the victim. Its primary mission is long-term persistence and data exfiltration rather than immediate system damage, which makes it particularly insidious—many victims remain unaware of the infection for weeks or months.

The trojan establishes communication with command-and-control (C&C) servers that are typically compromised legitimate websites rather than obviously malicious infrastructure. ESET researchers have documented that these C&C servers are often WordPress installations where the server-side component is hidden within the site's template or plugin directories, making detection by website owners and security scanners more difficult. This technique allows the malware to blend in with normal web traffic and avoid blacklist-based security measures.

ScoringMathTea's capabilities include comprehensive system enumeration (gathering information about installed software, hardware, network configuration, and user accounts), keystroke logging to capture passwords and confidential information, screenshot capture at regular intervals or triggered by specific activities, file system access for both uploading stolen data and downloading additional malware modules, and the ability to execute arbitrary commands with the same privileges as the infected user account. If the infected account has administrative rights, the attackers gain full system control.

Typical ScoringMathTea Behavioral Indicators (observed in sandbox analysis): C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\[random] # Dropper may place initial payload in user AppData directories with randomized naming Registry modifications (persistence): HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\Run # Creates autostart entries to survive reboots Network connections to compromised infrastructure: Outbound HTTPS connections to legitimate-appearing domains # Traffic often to compromised WordPress sites, /wp-content/themes/ or /wp-content/plugins/ paths C:\Windows\System32\Tasks\[TaskName] # May create scheduled tasks for persistence and periodic execution Process injection techniques: Code injection into legitimate Windows processes (explorer.exe, svchost.exe) # Makes detection and removal more complex

The malware is designed for stealth and long-term operation. Unlike ransomware that announces its presence immediately, ScoringMathTea wants to remain undetected as long as possible while the attackers harvest credentials, monitor communications, and potentially move laterally through your network if you're connected to a business environment. For home users, the primary risks are identity theft, financial account compromise, and the potential for your system to be used as a launching point for attacks against your employer's network if you work remotely.

Manual Removal — Step by Step

01

Disconnect from the Network Immediately

Before attempting any removal steps, physically disconnect your computer from the internet by unplugging the Ethernet cable or disabling your Wi-Fi adapter. This prevents the malware from receiving new commands, exfiltrating additional data, or potentially triggering a destructive payload if it detects removal attempts. For laptops, also consider removing the battery if possible after shutdown to ensure complete isolation.

02

Boot Into Safe Mode with Networking

Restart your computer and enter Safe Mode (press F8 repeatedly during boot on older systems, or use the Shift+Restart method from the Windows login screen on Windows 10/11). Choose "Safe Mode with Networking" as you'll need internet access to download removal tools. Safe Mode loads only essential drivers and services, preventing most malware from executing and making removal significantly easier.

03

Run Complete System Scans with Multiple Tools

Download and run several reputable anti-malware tools in sequence: Malwarebytes, Kaspersky Rescue Disk, and ESET Online Scanner are all effective choices. No single tool catches everything, especially with sophisticated threats like ScoringMathTea. Run each tool with full system scans (not quick scans), allow them to quarantine detected threats, and reboot after each scan completes. This process can take several hours but is essential for thorough cleaning.

04

Manually Inspect Startup Locations

Open the System Configuration tool (type "msconfig" in the Windows search box) and review the Startup tab for suspicious entries. Also check Task Scheduler (taskschd.msc) for recently created tasks with random names or unclear purposes. Use the Registry Editor (regedit.exe) to examine HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run for unknown programs. Document anything suspicious before deleting, as you may need this information for incident response.

05

Examine AppData and Temporary Directories

Navigate to C:\Users\[YourUsername]\AppData\Roaming and C:\Users\[YourUsername]\AppData\Local and look for recently created folders with random or generic names that don't correspond to known applications. Sort by "Date Modified" to identify newly created files. ScoringMathTea droppers often place files in these locations. Be cautious when deleting—legitimate programs also use these directories—but remove anything that security scans flagged or that appears after the suspected infection date.

06

Check for Process Injection Artifacts

Download and run Process Explorer from Microsoft Sysinternals (a free, legitimate Microsoft tool). This advanced task manager can reveal hidden processes and code injection. Look for legitimate Windows processes (like explorer.exe or svchost.exe) with unusual network connections or loaded DLLs from unexpected locations. If you find suspicious activity, note the process details, but don't attempt to forcefully terminate system processes as this can cause instability.

07

Reset Network Settings and DNS

Open Command Prompt as administrator and run these commands: "ipconfig /flushdns" to clear DNS cache, "netsh winsock reset" to reset network stack, and "netsh int ip reset" to reset TCP/IP settings. Restart after these commands complete. This removes any network-level modifications the malware may have made to redirect traffic or maintain persistence through network configurations.

08

Change All Passwords from a Clean Device

This is critical: from a known-clean device (another computer, a smartphone not connected to your network, etc.), immediately change passwords for all accounts accessed from the infected machine. Prioritize email accounts (they're often used for password resets on other services), financial accounts, work credentials, and any accounts with stored payment information. Enable two-factor authentication wherever possible for additional protection.

09

Monitor Financial Accounts and Credit Reports

Place fraud alerts with the major credit bureaus (Equifax, Experian, TransUnion) and review all financial statements for unauthorized transactions. If this was a work computer, inform your IT security team immediately—they need to assess whether the infection spread to network resources. Consider enrolling in identity theft monitoring services, as information stolen by ScoringMathTea may not be used immediately but could be sold or exploited months later.

10

Consider Clean Reinstallation

For high-value targets or if you handled sensitive information on the infected machine (corporate data, financial records, legal documents), the only completely reliable removal method is wiping the drive and performing a clean Windows installation from verified media. Advanced persistent threats like ScoringMathTea can use rootkit techniques and firmware-level persistence that survive standard removal methods. Back up personal files to external media (scan them separately before restoring), then reinstall from scratch.

Prevention

  1. Verify unexpected job offers independently. If a recruiter contacts you through LinkedIn or email, visit the company's official website and confirm the position exists and the recruiter is legitimate before downloading any materials. Real recruiters will understand if you want to verify their identity through official channels.
  2. Never execute files from untrusted sources, especially compressed archives or Visual Studio projects. If a "recruiter" asks you to run code or open a project file before you've had a video interview or verified the opportunity through official channels, it's almost certainly a social engineering attack. Legitimate technical assessments are conducted through established platforms like HackerRank or CoderPad, not random ZIP files.
  3. Maintain comprehensive endpoint security with real-time protection. Business-grade security solutions (Kaspersky, ESET, Bitdefender, or enterprise solutions like CrowdStrike) offer significantly better detection of sophisticated threats than free consumer antivirus. Keep definitions updated and don't disable protection to "speed up" your system.
  4. Enable and enforce email security filtering. For businesses, implement DMARC, SPF, and DKIM to prevent email spoofing. For personal accounts, be extremely skeptical of attachments and links even from known contacts—accounts are frequently compromised and used to spread malware to the victim's contacts.
  5. Segment work and personal computing environments. If possible, use separate devices for work and personal activities. At minimum, use separate browser profiles or even separate user accounts on shared machines. This limits the damage if one environment is compromised and prevents malware from easily accessing both personal and corporate resources.
  6. Keep all software updated with the latest security patches. Many sophisticated malware families exploit known vulnerabilities in Windows, browsers, or common applications like PDF readers. Enable automatic updates for your operating system and all installed software, especially security-critical components like Java, Adobe products, and web browsers.
  7. Implement network monitoring for home offices. If you work remotely with access to corporate resources, consider next-generation firewalls or security-focused routers that can detect and block suspicious outbound connections. Many advanced threats are identified by their command-and-control communication patterns rather than the initial infection.
  8. Practice the principle of least privilege. Don't use an administrator account for daily computing activities. Create a standard user account for routine work and only elevate privileges when necessary for specific administrative tasks. This significantly limits malware's ability to establish deep system-level persistence or spread laterally through your network.
Our 90-Day Warranty: When Computer Repair Roswell removes malware from your system, we stand behind our work with a 90-day warranty. If the same threat returns within three months, we'll re-clean your system at no additional charge. We also provide written documentation of the removal process and security hardening steps we've taken, along with personalized recommendations for keeping your specific system protected going forward.

Bring It In

Removing sophisticated remote access trojans like ScoringMathTea requires both technical expertise and specialized tools that go beyond what most consumer antivirus products can handle. At Computer Repair Roswell, we've invested in enterprise-grade malware analysis and removal capabilities specifically because we see these threats affecting local businesses and residents regularly. Our technicians use multiple scanning engines, behavioral analysis tools, and forensic techniques to ensure complete removal—not just of the visible infection, but also hidden persistence mechanisms that allow the malware to return after seemingly successful cleaning.

We're located right here in Roswell, Georgia, and we understand the urgency when you're dealing with a potential security breach. Whether you're a small business owner worried about data theft, a remote worker concerned about exposing your employer's network, or a home user who needs peace of mind, we can help. Call us or stop by the shop—we'll run a comprehensive diagnostic, explain exactly what we find in plain language, provide a clear quote before any work begins, and typically complete the removal and security hardening within 24-48 hours. Don't let a sophisticated threat like ScoringMathTea compromise your security, your identity, or your business. Let's get your system cleaned properly and locked down against future attacks.