Lazarus Hackers Target European Drone Manufacturers in Active Campaign

Operation DreamJob marks a sophisticated evolution in Lazarus’ cyber‑espionage playbook, blending social engineering with supply‑chain infiltration. By posing as reputable recruiters, the group bypasses traditional security awareness, delivering malicious PDFs that drop the ScoringMathTea remote‑access trojan. This tactic mirrors earlier Lazarus campaigns but is uniquely tailored to the UAV sector, reflecting North Korea’s strategic focus on unmanned systems. The use of fake job listings also underscores a broader trend where threat actors weaponize talent‑acquisition channels to gain footholds in high‑value industries.

Technical analysis reveals a layered malware stack. ScoringMathTea, active since 2022, offers over 40 commands for file manipulation, process control, and network tunneling, while BinMergeLoader exploits Microsoft Graph API tokens to stealthily retrieve additional payloads. The attackers further obfuscate detection by side‑loading legitimate open‑source binaries—such as TightVNC, MuPDF, Notepad++ plugins—into compromised DLLs. Command‑and‑control traffic is routed through hijacked WordPress sites, embedding malicious components in themes or plugins, a technique that blends web‑based persistence with low‑profile communications.

The campaign’s impact extends beyond immediate data loss. By exfiltrating proprietary UAV designs, North Korea accelerates its own drone capabilities, potentially supplying low‑cost attack drones to allied regions in Africa and the Middle East. European defense contractors must reinforce employee training against recruitment scams, adopt advanced endpoint detection that flags trojanized binaries, and enforce network segmentation to contain breaches. As state‑backed APT groups continue to blend social engineering with sophisticated malware, the defense sector faces an escalating risk of industrial espionage that could reshape global security dynamics.