Lazarus, a classy North Korean-aligned hacking group often known as HIDDEN COBRA, has launched a brand new wave of focused assaults towards European drone producers and protection contractors.
The marketing campaign, tracked as Operation DreamJob, emerged in late March 2025 and particularly targets organizations creating unmanned aerial car expertise throughout Central and Southeastern Europe.
Researchers have recognized this exercise as a part of a broader strategic effort by North Korea to speed up its home drone program, significantly following elevated funding in trendy warfare capabilities noticed within the Russia-Ukraine battle.
The marketing campaign represents a major escalation in cyberespionage ways geared toward stealing proprietary manufacturing data and mental property from the aerospace and protection sectors.
Three European firms have been confirmed as targets, with at the least two closely concerned in designing superior single-rotor drones and producing crucial UAV elements at the moment deployed in energetic battle zones.
The timing of those assaults coincides with North Korea’s reported efforts to mass-produce fight and reconnaissance drones just like Western fashions just like the MQ-9 Reaper and RQ-4 World Hawk.
Welivesecurity analysts and researchers famous that the malware infrastructure utilized in these assaults employs subtle supply mechanisms designed to evade conventional safety defenses.
Examples of 2025 Operation DreamJob execution chains delivering BinMergeLoader and ScoringMathTea (Supply – Welivesecurity)
The assault begins with social engineering, particularly utilizing pretend job gives for prestigious positions to trick staff into downloading trojanized paperwork.
As soon as executed, the malware deploys a sequence of specialised instruments designed to keep up persistent entry and keep away from detection on compromised techniques.
An infection mechanism
The first an infection mechanism depends on DLL side-loading, a way the place official Home windows purposes are exploited to load malicious libraries with out triggering safety alerts.
A dropper with a suspicious inside title and exports from a official Microsoft library (Supply – Welivesecurity)
The attackers have included their malware into trojanized variations of standard open-source software program, together with TightVNC Viewer, MuPDF reader, and WinMerge plugins.
One significantly revealing dropper contained the interior filename DroneEXEHijackingLoader.dll, instantly referencing the attackers’ marketing campaign deal with drone expertise.
The primary payload deployed throughout all incidents is ScoringMathTea, a distant entry trojan that gives attackers full management over compromised machines.
This subtle malware gives roughly 40 completely different instructions for system manipulation, file exfiltration, and additional payload deployment.
What makes ScoringMathTea significantly harmful is its capacity to stay utterly encrypted on disk, solely decrypting in reminiscence throughout execution, making conventional file-based detection almost inconceivable with out superior behavioral monitoring.
Observe us on Google Information, LinkedIn, and X to Get Extra Immediate Updates, Set CSN as a Most well-liked Supply in Google.
