Lazarus Group’s Operation DreamJob Targets European Defense Firms

Lazarus Group’s Operation DreamJob Targets European Defense Firms

A new series of cyber-attacks targeting European defense companies involved in drone development has been uncovered by cybersecurity researchers.

The activity, attributed by ESET to the North Korea-aligned Lazarus Group, marks the latest phase of Operation DreamJob, a long-running cyber-espionage campaign aimed at stealing sensitive military and aerospace data.

Lazarus Group Refines Espionage Tactics

The campaign, detected in March 2025, focused on three European firms – a metal engineering company,an aircraft components manufacturer and a defense contractor.

All were tricked using social-engineering tactics involving fake job offers, an established hallmark of Operation DreamJob. Victims were lured into opening trojanized PDF readers that secretly installed malware.

ESET’s telemetry revealed the use of “ScoringMathTea,” a remote access Trojan (RAT) capable of giving attackers full control over compromised systems.

The malware was delivered through a series of droppers and loaders disguised as legitimate software components, including manipulated open-source projects from GitHub.

The Drone Connection

One of the key malicious files, DroneEXEHijackingLoader.dll, led researchers to suspect that this campaign specifically sought UAV-related data. Two of the targeted companies are involved in the production of drone parts or software, an area North Korea is currently aiming to advance.

Read more on North Korean cyber-espionage operations: AI-Forged Military IDs Used in North Korean Phishing Attack

The timing of the attacks coincides with reports of North Korean soldiers supporting Russian operations in Ukraine, raising the possibility that the campaign aimed to gather intelligence on Western-made drones deployed in the conflict.

ESET believes this could support Pyongyang’s ambitions to enhance its own UAV designs, many of which bear substantial similarities to US military drones like the RQ-4 Global Hawk and MQ-9 Reaper.

Tools and Techniques

According to ESET, the attackers introduced new elements to their toolset in 2025, including:

  • Trojanized open-source applications such as TightVNC Viewer and MuPDF

  • New loaders and downloaders built from DirectX Wrappers and Notepad++ plugins

  • The continued use of ScoringMathTea as the main payload

These updates demonstrate Lazarus’s ongoing effort to refine its techniques while maintaining its characteristic strategy of blending social engineering with malware-laced software tools.

ESET concluded that this latest campaign underscores the persistent risk faced by the defense sector, particularly those engaged in UAV research.

“Considering North Korea’s current efforts at scaling up its drone industry and arsenal, it seems likely that other organizations active in this sector will whet the appetite of North Korea-aligned threat actors in the near future.”

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.