Lazarus Group Targets European UAV Manufacturers in New Operation DreamJob Wave
ESET researchers have uncovered a new wave of Operation DreamJob attacks by North Korea-linked Lazarus group targeting three European defense companies, including UAV manufacturers, to steal drone technology.
ESET researchers have uncovered a new wave of Operation DreamJob attacks by the North Korea-linked Lazarus group, targeting three European defense companies heavily involved in the unmanned aerial vehicle (UAV) sector. The campaign, active since late March 2025, aims to steal proprietary manufacturing know-how to support North Korea's drone program. This marks a significant escalation in Lazarus's cyberespionage efforts, aligning with geopolitical tensions surrounding the Russia-Ukraine war.
The attacks rely on social engineering, a hallmark of Operation DreamJob, where victims receive fake job offers from prestigious positions. The initial access vector involves trojanized open-source projects, such as Notepad++ and WinMerge, which serve as droppers. Once executed, they deploy the ScoringMathTea remote access trojan (RAT), granting attackers full control over compromised systems. ESET noted the use of new DLL proxying libraries for improved evasion, indicating Lazarus's continuous evolution.
The three targeted companies span Southeastern and Central Europe, including a metal engineering firm, an aircraft components manufacturer, and a defense company. All were infected with droppers bearing the internal name "DroneEXEHijackingLoader.dll," directly linking the campaign to UAV technology theft. The attackers likely sought sensitive information on Western-made weapons systems deployed in Ukraine, where North Korean soldiers have been reportedly assisting Russia.
ScoringMathTea, first seen in late 2022, remains Lazarus's payload of choice for Operation DreamJob. It communicates with command-and-control servers hosted on compromised WordPress installations, often disguised as design templates or plugins. The RAT provides full remote control, enabling data exfiltration and persistent access. ESET attributes the campaign to Lazarus with high confidence based on the social engineering tactics, trojanized open-source projects, and use of ScoringMathTea.
The geopolitical context is critical: the targeted organizations produce military equipment used in Ukraine, and North Korea's involvement in the conflict may drive the espionage. By stealing UAV manufacturing know-how, North Korea aims to enhance its domestic drone program, which has seen recent advancements. This campaign underscores the intersection of cyberespionage and geopolitical strategy, as Lazarus continues to target defense sectors globally.
ESET's findings highlight the persistent threat posed by Lazarus, which has been active since 2009 and is responsible for major incidents like the Sony Pictures hack and WannaCry ransomware. Operation DreamJob specifically focuses on aerospace, defense, and engineering sectors, using tailored lures to compromise high-value targets. The new wave demonstrates Lazarus's adaptability, employing updated tools and techniques to evade detection.
Organizations in the defense and aerospace sectors should remain vigilant against social engineering attacks, particularly those involving job offers. ESET recommends implementing robust endpoint detection, monitoring for suspicious DLL sideloading, and educating employees about phishing risks. As Lazarus continues to refine its methods, proactive defense measures are essential to mitigate the threat of intellectual property theft.