Friday, October 24, 2025
Malware

Lazarus Group’s Operation DreamJob Targets European Defense Firms

by CybrGPT
0 comment

A new series of cyber-attacks targeting European defense companies involved in drone development has been uncovered by cybersecurity researchers.

The activity, attributed by ESET to the North Korea-aligned Lazarus Group, marks the latest phase of Operation DreamJob, a long-running cyber-espionage campaign aimed at stealing sensitive military and aerospace data.

Lazarus Group Refines Espionage Tactics

The campaign, detected in March 2025, focused on three European firms – a metal engineering company, an aircraft components manufacturer and a defense contractor.

All were tricked using social-engineering tactics involving fake job offers, an established hallmark of Operation DreamJob. Victims were lured into opening trojanized PDF readers that secretly installed malware.

ESET’s telemetry revealed the use of “ScoringMathTea,” a remote access Trojan (RAT) capable of giving attackers full control over compromised systems.

The malware was delivered through a series of droppers and loaders disguised as legitimate software components, including manipulated open-source projects from GitHub.

The Drone Connection

One of the key malicious files, DroneEXEHijackingLoader.dll, led researchers to suspect that this campaign specifically sought UAV-related data. Two of the targeted companies are involved in the production of drone parts or software, an area North Korea is currently aiming to advance.

Read more on North Korean cyber-espionage operations: AI-Forged Military IDs Used in North Korean Phishing Attack

The timing of the attacks coincides with reports of North Korean soldiers supporting Russian operations in Ukraine, raising the possibility that the campaign aimed to gather intelligence on Western-made drones deployed in the conflict.

ESET believes this could support Pyongyang’s ambitions to enhance its own UAV designs, many of which bear substantial similarities to US military drones like the RQ-4 Global Hawk and MQ-9 Reaper.

Tools and Techniques

According to ESET, the attackers introduced new elements to their toolset in 2025, including:

  • Trojanized open-source applications such as TightVNC Viewer and MuPDF

  • New loaders and downloaders built from DirectX Wrappers and Notepad++ plugins

  • The continued use of ScoringMathTea as the main payload

These updates demonstrate Lazarus’s ongoing effort to refine its techniques while maintaining its characteristic strategy of blending social engineering with malware-laced software tools.

ESET concluded that this latest campaign underscores the persistent risk faced by the defense sector, particularly those engaged in UAV research. 

“Considering North Korea’s current efforts at scaling up its drone industry and arsenal, it seems likely that other organizations active in this sector will whet the appetite of North Korea-aligned threat actors in the near future.”

Source link

You Might Be Interested In

You may also like

Pakistani-Linked Hacker Group Targets Indian Government

New Threat Actor Launches Cyber-attacks on Ukraine and Poland

MuddyWater Uses Compromised Mailboxes in Global Phishing Campaign

PhantomCaptcha Campaign Targets Ukraine Relief Organizations

AI Tool WormGPT Enables Convincing Fake Emails For BEC Attacks

#HowTo: Prevent Ransomware Attackers Striking Again

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

Stay informed with the latest in cybersecurity news. Explore updates on malware, ransomware, data breaches, and online threats. Your trusted source for digital safety and cyber defense insights.

Facebook Twitter Instagram
BuyBitcoinFiveMinute

Subscribe my Newsletter for new blog posts, tips & new photos. Let’s stay updated!

© 2025 cybrgpt.com – All rights reserved.

@2025 - All Right Reserved.
View Cart Checkout Continue Shopping
Close