{"id":5532,"date":"2025-10-24T12:09:36","date_gmt":"2025-10-24T12:09:36","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5532"},"modified":"2025-10-24T12:09:36","modified_gmt":"2025-10-24T12:09:36","slug":"lazarus-group-targets-european-drone-makers-in-new-espionage-campaign","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5532","title":{"rendered":"Lazarus group targets European drone makers in new espionage campaign"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Cybersecurity researchers from ESET have identified a new Lazarus Group campaign targeting European defense contractors, particularly those involved in unmanned aerial vehicle (UAV) development.<\/p>\n<p>According to ESET findings, the threat actors used fake job offers and trojanized open-source software, as is customary in their Operation Dreamjob campaigns, to infiltrate their targets.<\/p>\n<p>\u201cSome of these are heavily involved in the unmanned aerial vehicle (UAV) sector, suggesting that the operation may be linked to North Korea\u2019s current efforts to scale up its drone program,\u201d ESET researchers said in a blog post about the European firms targeted. The activity, observed since March 2025, marks another phase of Lazarus\u2019 long-running espionage<a href=\"https:\/\/www.csoonline.com\/article\/657312\/north-koreas-state-hacking-program-is-varied-fluid-and-nimble.html\" target=\"_blank\" rel=\"noopener\"> operations<\/a> that align closely with North Korea\u2019s strategic military objectives.<\/p>\n<p>Operation Dreamjob is a series of campaigns where the Lazarus group <a href=\"https:\/\/www.csoonline.com\/article\/3818521\/lazarus-group-tricks-job-seekers-on-linkedin-with-crypto-stealer.html\">poses as recruiters<\/a> from well-known aerospace and defense firms and deploys malicious payloads to gain persistence.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Attack chain built around fake job offers and tampered software<\/h2>\n<p>The initial compromise begins with spear-phishing messages posing as job opportunities from reputable defense companies. These messages deliver malicious files disguised as PDF readers or installation packages. When executed, they load additional components through <a href=\"https:\/\/www.csoonline.com\/article\/4038967\/new-ransomware-charon-uses-dll-sideloading-to-breach-critical-infrastructure.html\">DLL side-loading<\/a>, a tactic Lazarus has used in several previous operations.<\/p>\n<p>In this campaign, ESET observed the use of \u201cDroneEXEHijackingLoader.dll,\u201d a loader specifically crafted to exploit legitimate executables, which then delivered \u201cScoringMathTea,\u201d a custom remote-access trojan (RAT) used by the group for command execution, data exfiltration, and persistence.<\/p>\n<p>The attack also leveraged trojanized versions of open-source software such as WinMerge and Notepad++, embedding loaders and droppers into otherwise benign tools. \u201cThe attackers decided to incorporate their malicious loading routines into open-source projects available on GitHub,\u201d the researchers <a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/gotta-fly-lazarus-targets-uav-sector\/\" target=\"_blank\" rel=\"noopener\">said<\/a>. \u201cThe choice of project varies from one attack to another.\u201d<\/p>\n<p>While ScoringMathTea is the primary payload used in this UAV-focused campaign, ESET noted that Lazarus has, in past operations, frequently used LightlessCan and related families, including ImprudentCook, BlindingCan, miniBlindingCan, and SimplexTea.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Drone-component theft meets geopolitical ambition<\/h2>\n<p>The targeting of firms linked to UAV design and manufacture is no coincidence. At least two of the companies compromised were tied to critical drone component supply chains and software systems.<\/p>\n<p>\u201cThe in-the-wild attacks successively targeted three European companies active in the defense sector,\u201d researchers added. \u201cAlthough their activities are somewhat diverse, these entities can be described as a metal engineering company (Southeastern Europe), a manufacturer of aircraft components (Central Europe), and a defense company (Central Europe).\u201d<\/p>\n<p>Meanwhile, imagery and reports indicate that North Korea is actively pursuing its own drone manufacturing capability\u2013Saetbyol-4 and Saetboyl-9 models which bear more than a passing resemblance to US equivalents, the blog noted. The theft of design data, manufacturing process know-how, and supply chain intelligence could accelerate Pyongyang\u2019s UAV push. <\/p>\n<p>ESET has provided downloadable IoCs (SHA-1 hashes, C2 domains, and IPs) and a GitHub repo with the full artifact set and mapped the campaign to MITRE ATT&amp;CK techniques such as DLL side-loading (T1574.002), user execution (T1204.002), reflective code loading (T1620), process injection (T1055), and web protocol C2 (T1071.001). According to ESET researchers, defenders in the aerospace and UAV supply chain should ingest these IoCs, tune detections for the listed TTPs, and apply the containment and hunting steps.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Cybersecurity researchers from ESET have identified a new Lazarus Group campaign targeting European defense contractors, particularly those involved in unmanned aerial vehicle (UAV) development. According to ESET findings, the threat actors used fake job offers and trojanized open-source software, as is customary in their Operation Dreamjob campaigns, to infiltrate their targets. \u201cSome of these are [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5533,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5532","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5532"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5532"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5532\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5533"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5532"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5532"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5532"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}