North Korean state-sponsored group Lazarus is aiming at European corporations tied to the unmanned aerial car (UAV) sector in new assaults as a part of Operation Dream Job, ESET experiences.
Additionally tracked as Diamond Sleet, Hidden Cobra, and Zinc, the Lazarus Group has been energetic since at the least 2009, and has been blamed for quite a few high-profile hacks.
Over the previous half a decade, the menace actor has been partaking in intrusion campaigns that relied on faux job presents concentrating on people within the aerospace, protection, engineering, media and leisure, and know-how sectors.
The “dream job” presents had been meant to contaminate the victims’ programs with varied backdoors. This has supplied Lazarus with a foothold into the people’ organizations, permitting it to steal mental property and different delicate data.
Beginning March 2025, ESET notes in a brand new report, comparable Operation Dream Job assaults have been concentrating on European corporations within the protection sector, together with a steel engineering firm, an plane parts producer, and a protection firm.
Counting on social engineering, Lazarus used faux job presents to ship a decoy doc with a job description to its victims. The doc was accompanied by a trojanized open supply PDF reader, which deployed the ScoringMathTea distant entry trojan.
First noticed in 2022 and used quite a few instances in Operation Dream Job assaults, the malware supplies the attackers with full management over the contaminated programs and depends on compromised servers for command-and-control (C&C) communication.
In keeping with ESET, the marketing campaign might be centered on accumulating data on weapon programs deployed in Ukraine as a part of European nations’ army help. The assaults occurred whereas North Korean troopers had been energetic in Russia to reportedly assist repel Ukraine’s offensive within the Kursk area.Commercial. Scroll to proceed studying.
On the identical time, the sufferer organizations produce supplies that North Korea manufactures domestically, and the intrusions might be geared toward gathering data to good designs and processes. A DLL in all droppers utilized in these assaults suggests a concentrate on drone producers.
At the least two of the victims are closely concerned within the growth of UAV know-how. One in every of them makes vital drone parts, whereas the opposite is reportedly engaged in constructing UAV-related software program.
“The curiosity in UAV-related know-how is notable, because it echoes current media experiences indicating that Pyongyang is investing closely in home drone manufacturing capabilities,” ESET notes.
Reportedly, North Korea is reinforcing its drone program based mostly on its current expertise with fashionable warfare as a part of the Russia-Ukraine conflict, and is receiving help from Russia to provide its model of the Iranian-made Shahed drone, in addition to low-cost assault UAVs for export.
As ESET factors out, North Korea has developed its home UAV capabilities by way of reverse engineering and the theft of mental property, and its Saetbyol‑4 and Saetbyol‑9 drones are copies of the Northrop Grumman RQ‑4 International Hawk and Normal Atomics MQ‑9 Reaper, respectively.
“On this context, we consider that it’s probably that Operation DreamJob was – at the least partially – geared toward stealing proprietary data, and manufacturing know-how, relating to UAVs. The ‘Drone’ point out noticed in one of many droppers considerably reinforces this speculation,” ESET notes.
Associated: North Korean Hackers Have Stolen $2 Billion in Cryptocurrency in 2025
Associated: North Korea’s Pretend Recruiters Feed Stolen Knowledge to IT Staff
Associated: North Korean Hackers Take Over Victims’ Techniques Utilizing Zoom Assembly
Associated: North Korean Hackers Distributed Android Spy ware through Google Play
