Cybersecurity researchers from ESET have identified a new Lazarus Group campaign targeting European defense contractors, particularly those involved in unmanned aerial vehicle (UAV) development.
According to ESET findings, the threat actors used fake job offers and trojanized open-source software, as is customary in their Operation Dreamjob campaigns, to infiltrate their targets.
“Some of these are heavily involved in the unmanned aerial vehicle (UAV) sector, suggesting that the operation may be linked to North Korea’s current efforts to scale up its drone program,” ESET researchers said in a blog post about the European firms targeted. The activity, observed since March 2025, marks another phase of Lazarus’ long-running espionage operations that align closely with North Korea’s strategic military objectives.
Operation Dreamjob is a series of campaigns where the Lazarus group poses as recruiters from well-known aerospace and defense firms and deploys malicious payloads to gain persistence.
Attack chain built around fake job offers and tampered software
The initial compromise begins with spear-phishing messages posing as job opportunities from reputable defense companies. These messages deliver malicious files disguised as PDF readers or installation packages. When executed, they load additional components through DLL side-loading, a tactic Lazarus has used in several previous operations.
In this campaign, ESET observed the use of “DroneEXEHijackingLoader.dll,” a loader specifically crafted to exploit legitimate executables, which then delivered “ScoringMathTea,” a custom remote-access trojan (RAT) used by the group for command execution, data exfiltration, and persistence.
The attack also leveraged trojanized versions of open-source software such as WinMerge and Notepad++, embedding loaders and droppers into otherwise benign tools. “The attackers decided to incorporate their malicious loading routines into open-source projects available on GitHub,” the researchers said. “The choice of project varies from one attack to another.”
While ScoringMathTea is the primary payload used in this UAV-focused campaign, ESET noted that Lazarus has, in past operations, frequently used LightlessCan and related families, including ImprudentCook, BlindingCan, miniBlindingCan, and SimplexTea.
Drone-component theft meets geopolitical ambition
The targeting of firms linked to UAV design and manufacture is no coincidence. At least two of the companies compromised were tied to critical drone component supply chains and software systems.
“The in-the-wild attacks successively targeted three European companies active in the defense sector,” researchers added. “Although their activities are somewhat diverse, these entities can be described as a metal engineering company (Southeastern Europe), a manufacturer of aircraft components (Central Europe), and a defense company (Central Europe).”
Meanwhile, imagery and reports indicate that North Korea is actively pursuing its own drone manufacturing capability–Saetbyol-4 and Saetboyl-9 models which bear more than a passing resemblance to US equivalents, the blog noted. The theft of design data, manufacturing process know-how, and supply chain intelligence could accelerate Pyongyang’s UAV push.
ESET has provided downloadable IoCs (SHA-1 hashes, C2 domains, and IPs) and a GitHub repo with the full artifact set and mapped the campaign to MITRE ATT&CK techniques such as DLL side-loading (T1574.002), user execution (T1204.002), reflective code loading (T1620), process injection (T1055), and web protocol C2 (T1071.001). According to ESET researchers, defenders in the aerospace and UAV supply chain should ingest these IoCs, tune detections for the listed TTPs, and apply the containment and hunting steps.
No Responses