North Korea-linked Lazarus APT group (aka Hidden Cobra) launched Operation DreamJob, compromising three European defense companies. Threat actors used fake recruiter profiles to lure employees into UAV technology roles, aiming to gain access to sensitive information through targeted social engineering.
The Operation DreamJob has been active since at least 2020, threat actors have been observed using social engineering techniques to compromise its targets, with fake job offers as the lure.
The Lazarus APT has been active since 2009 and is behind major incidents like the Sony hack, WannaCry, and global cyberheists.
ESET reports that Lazarus’ latest Operation DreamJob targets UAV technology, reflecting North Korea’s push to develop drones modeled on Western designs.
ESET observed new Operation DreamJob attacks starting in March 2025, targeting three European defense firms, a metal engineering company, an aircraft parts maker, and a defense contractor. The three European defense firms producing equipment used in Ukraine, attackers likely aimed at stealing UAV and weapons data. Lazarus gained access via fake job offers carrying trojanized PDFs, deploying the ScoringMathTea RAT for full control. Targets were linked to UAV technology, suggesting espionage aligned with North Korea’s drone development efforts and its cooperation with Russia in the Ukraine war.
North Korea’s UAV program heavily relies on reverse engineering and IP theft, with drones like the Saetbyol-4 and Saetbyol-9 mimicking models manufactured by US firms. Evidence suggests Pyongyang uses cyberespionage, via Lazarus and related APTs, to steal UAV designs and manufacturing know-how. Operation DreamJob likely sought proprietary data on Western UAVs, aiding North Korea’s expanding drone production efforts.
In 2025 Operation DreamJob, Lazarus shifted tools into two tiers: early-stage droppers/loaders/downloaders and main-stage payloads like the ScoringMathTea RAT. Researchers saw trojanized MuPDF, TightVNC, Notepad++ plugins, a libpcre loader, QuanPinLoader, BinMergeLoader, and a DirectInput-style dinput.dll. Loaders decrypt AES-128/ChaCha20 payloads and load them in memory via MemoryModule.
The researchers pointed out that main implants never appear unencrypted on disk. BinMergeLoader mirrors Mandiant’s MISTPEN and abuses Microsoft Graph tokens. It is interesting to note that submissions came from Italy and Spain; one dropper bore the internal name DroneEXEHijackingLoader.dll, linking the campaign to UAV-focused targets.
ScoringMathTea is a Lazarus-linked RAT that supports approximately 40 commands, combining file/process control, data exfiltration, and remote command execution.
“The implemented functionality is the usual required by Lazarus: manipulation of files and processes, exchanging the configuration, collecting the victim’s system info, opening a TCP connection, and executing local commands or new payloads downloaded from the C&C server.” reads ESET’s report. “The current version does not show any dramatic changes in its feature set or its command parsing. So the payload is probably receiving continuous, rather minor improvements and bug fixes.”
First seen in 2022 via Airbus-themed job lures, it has since targeted firms in Portugal, Germany, India, Poland, the UK, and Italy. The malicious code is likely a key Operation DreamJob payload, it evolves through minor updates and shares traits with Lazarus tools like LightlessCan.
For nearly three years, Lazarus has consistently used ScoringMathTea and trojanized open-source apps in Operation DreamJob, achieving polymorphism that evades detection but not attribution. Despite media exposure, employee awareness in key sectors remains low. The campaign likely sought UAV-related data to support North Korea’s expanding drone program.
For nearly three years, Lazarus has consistently used ScoringMathTea and trojanized open-source apps in Operation DreamJob, achieving polymorphism that evades detection but not attribution. Despite media exposure, employee awareness in key sectors remains low. The campaign likely sought UAV-related data to support North Korea’s expanding drone program.
“Also, even with widespread media coverage of Operation DreamJob and its use of social engineering, the level of employee awareness in sensitive sectors – technology, engineering, and defense – is insufficient to handle the potential risks of a suspicious hiring process.” concludes the report.
“Although alternative hypotheses are conceivable, there are good reasons to think that this Operation DreamJob campaign was in no small part intended to collect sensitive information on UAV-related technology. Considering North Korea’s current efforts at scaling up its drone industry and arsenal, it seems likely that other organizations active in this sector will whet the appetite of North Korea-aligned threat actors in the near future.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, North Korea)