Lazarus targets European defense firms in UAV-themed Operation DreamJob – Against Invaders – Notícias de CyberSecurity para humanos.

Lazarus targets European defense firms in UAV-themed Operation DreamJob - Against Invaders - Notícias de CyberSecurity para humanos.

Lazarus targets European defense firms in UAV-themed Operation DreamJob

North Korean Lazarus hackers targeted 3 European defense firms via Operation DreamJob, using fake recruitment lures to hit UAV tech staff.

North Korea-linked Lazarus APT group (aka Hidden Cobra) launched Operation DreamJob, compromising three European defense companies. Threat actors used fake recruiter profiles to lure employees into UAV technology roles, aiming to gain access to sensitive information through targeted social engineering.

The Operation DreamJob has been active since at least 2020, threat actors have been observed using social engineering techniques to compromise its targets, with fake job offers as the lure.

The Lazarus APT has been active since 2009 and is behind major incidents like the Sony hack, WannaCry, and global cyberheists.

ESET reports that Lazarus’ latest Operation DreamJob targets UAV technology, reflecting North Korea’s push to develop drones modeled on Western designs.

ESET observed new Operation DreamJob attacks starting in March 2025, targeting three European defense firms, a metal engineering company, an aircraft parts maker, and a defense contractor. The three European defense firms producing equipment used in Ukraine, attackers likely aimed at stealing UAV and weapons data. Lazarus gained access via fake job offers carrying trojanized PDFs, deploying the ScoringMathTea RAT for full control. Targets were linked to UAV technology, suggesting espionage aligned with North Korea’s drone development efforts and its cooperation with Russia in the Ukraine war.

North Korea’s UAV program heavily relies on reverse engineering and IP theft, with drones like the Saetbyol-4 and Saetbyol-9 mimicking models manufactured by US firms. Evidence suggests Pyongyang uses cyberespionage, via Lazarus and related APTs, to steal UAV designs and manufacturing know-how. Operation DreamJob likely sought proprietary data on Western UAVs, aiding North Korea’s expanding drone production efforts.

In 2025 Operation DreamJob, Lazarus shifted tools into two tiers: early-stage droppers/loaders/downloaders and main-stage payloads like the ScoringMathTea RAT. Researchers saw trojanized MuPDF, TightVNC, Notepad++ plugins, a libpcre loader, QuanPinLoader, BinMergeLoader, and a DirectInput-style dinput.dll. Loaders decrypt AES-128/ChaCha20 payloads and load them in memory via MemoryModule.

The researchers pointed out that main implants never appear unencrypted on disk. BinMergeLoader mirrors Mandiant’s MISTPEN and abuses Microsoft Graph tokens. It is interesting to note that submissions came from Italy and Spain; one dropper bore the internal name DroneEXEHijackingLoader.dll, linking the campaign to UAV-focused targets.

ScoringMathTea is a Lazarus-linked RAT that supports approximately 40 commands, combining file/process control, data exfiltration, and remote command execution.

“The implemented functionality is the usual required by Lazarus: manipulation of files and processes, exchanging the configuration, collecting the victim’s system info, opening a TCP connection, and executing local commands or new payloads downloaded from the C&C server.” reads ESET’s report. “The current version does not show any dramatic changes in its feature set or its command parsing. So the payload is probably receiving continuous, rather minor improvements and bug fixes.”

First seen in 2022 via Airbus-themed job lures, it has since targeted firms in Portugal, Germany, India, Poland, the UK, and Italy. The malicious code is likely a key Operation DreamJob payload, it evolves through minor updates and shares traits with Lazarus tools like LightlessCan.

For nearly three years, Lazarus has consistently used ScoringMathTea and trojanized open-source apps in Operation DreamJob, achieving polymorphism that evades detection but not attribution. Despite media exposure, employee awareness in key sectors remains low. The campaign likely sought UAV-related data to support North Korea’s expanding drone program.

For nearly three years, Lazarus has consistently used ScoringMathTea and trojanized open-source apps in Operation DreamJob, achieving polymorphism that evades detection but not attribution. Despite media exposure, employee awareness in key sectors remains low. The campaign likely sought UAV-related data to support North Korea’s expanding drone program.

“Also, even with widespread media coverage of Operation DreamJob and its use of social engineering, the level of employee awareness in sensitive sectors – technology, engineering, and defense – is insufficient to handle the potential risks of a suspicious hiring process.” concludes the report.

“Although alternative hypotheses are conceivable, there are good reasons to think that this Operation DreamJob campaign was in no small part intended to collect sensitive information on UAV-related technology. Considering North Korea’s current efforts at scaling up its drone industry and arsenal, it seems likely that other organizations active in this sector will whet the appetite of North Korea-aligned threat actors in the near future.”

Follow me on Twitter:@securityaffairsandFacebookandMastodon

PierluigiPaganini

(SecurityAffairs–hacking,North Korea)

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.