Oct 23, 2025Ravie LakshmananCyber Espionage / Risk Intelligence
Risk actors with ties to North Korea have been attributed to a brand new wave of assaults focusing on European corporations energetic within the protection business as a part of a long-running marketing campaign often known as Operation Dream Job.
“A few of these [corporations’ are closely concerned within the unmanned aerial automobile (UAV) sector, suggesting that the operation could also be linked to North Korea’s present efforts to scale up its drone program,” ESET safety researchers Peter Kálnai and Alexis Rapin mentioned in a report shared with The Hacker Information.
It is assessed that the tip objective of the marketing campaign is to plunder proprietary data and manufacturing know-how utilizing malware households comparable to ScoringMathTea and MISTPEN. The Slovak cybersecurity firm mentioned it noticed the marketing campaign beginning in late March 2025.
A few of the focused entities embrace a metallic engineering firm in Southeastern Europe, a producer of plane parts in Central Europe, and a protection firm in Central Europe.
Whereas ScoringMathTea (aka ForestTiger) was beforehand noticed by ESET in early 2023 in reference to cyber assaults focusing on an Indian expertise firm and a protection contractor in Poland, MISTPEN was documented by Google Mandiant in September 2024 as a part of intrusions geared toward corporations within the power and aerospace verticals. The primary look of ScoringMathTea dates again to October 2022.
Operation Dream Job, first uncovered by Israeli cybersecurity firm ClearSky in 2020, is a persistent assault marketing campaign mounted by a prolific North Korean hacking group dubbed Lazarus Group, which can also be tracked as APT-Q-1, Black Artemis, Diamond Sleet (previously Zinc), Hidden Cobra, TEMP.Hermit, and UNC2970. The hacking group is believed to be operational since not less than 2009.
In these assaults, the menace actors leverage social engineering lures akin to Contagious Interview to strategy potential targets with profitable job alternatives and trick them into infecting their techniques with malware. The marketing campaign additionally reveals overlaps with clusters tracked as DeathNote, NukeSped, Operation In(ter)ception, and Operation North Star.
“The dominant theme is a profitable however fake job supply with a facet of malware: the goal receives a decoy doc with a job description and a trojanized PDF reader to open it,” ESET researchers mentioned.
The assault chain results in the execution of a binary, which is liable for sideloading a malicious DLL that drops ScoringMathTea in addition to a complicated downloader codenamed BinMergeLoader, which features equally to MISTPEN and makes use of Microsoft Graph API and tokens to fetch extra payloads.
Alternate an infection sequences have been discovered to leverage an unknown dropper to ship two interim payloads, the primary of which hundreds the latter, finally ensuing within the deployment of ScoringMathTea, a complicated RAT that helps round 40 instructions to take full management over the compromised machines.
“For practically three years, Lazarus has maintained a constant modus operandi, deploying its most well-liked primary payload, ScoringMathTea, and utilizing comparable strategies to trojanize open-source purposes,” ESET mentioned. “This predictable, but efficient, technique delivers adequate polymorphism to evade safety detection, even whether it is inadequate to masks the group’s id and obscure the attribution course of.”
