A cyber-espionage campaign linked to the North Korea-aligned Lazarus Group has targeted at least three European defense companies, particularly those involved in unmanned aerial vehicle (UAV) development. Using fake job offers as the initial enticement, the attackers provided decoy PDFs and trojanised software which, once executed, deployed the remote access trojan ScoringMathTea. Through this, the adversary gained persistent access to internal systems with the objective of stealing manufacturing know-how, design documents, and proprietary information tied to drones currently used in the Ukraine war.

The campaign, identified as Operation DreamJob, features sophisticated loader chains including trojanised open-source projects and DLL side-loading under names such as DroneEXEHijackingLoader.dll. It reflects a strategic shift by Lazarus from primarily financial attacks toward high-value technology theft, aligned with North Korea’s push to reverse-engineer Western-made UAVs and develop its own drone capabilities.

‍

Source: https://securityaffairs.com/183783/apt/lazarus-targets-european-defense-firms-in-uav-themed-operation-dreamjob.html