North Korea”s Lazarus Group has launched a successful cyber campaign targeting the unmanned aerial vehicle (UAV) sector in Europe, leveraging a scheme known as Operation DreamJob. This initiative entices job seekers with promises of lucrative employment, but instead, it delivers offers laden with malware and compromises the recipients” computers.
The Lazarus Group is notorious for its cyber heists and espionage activities, being linked to significant cyber incidents such as the 2014 hack of Sony Pictures Entertainment and the widespread WannaCry ransomware outbreak in 2017. Active since at least 2009, the group has been running its DreamJob campaigns since 2020, which utilize social engineering tactics to lure candidates into clicking on malicious links or downloadable documents.
Targets of these attacks primarily include aerospace and defense companies, as well as firms within engineering, technology, media, and entertainment sectors. The primary objectives of these operations are to steal intellectual property and sensitive data, engage in cyber espionage, and obtain financial information. According to ESET Research, the current iteration of this campaign commenced in late March and successfully breached three defense-sector companies in Europe.
While specific organizations were not disclosed, researchers highlighted that one victim is a metal engineering firm located in Southeastern Europe, another produces aircraft components in Central Europe, and the third is also a defense contractor based in Central Europe. ESET researchers, Peter Kálnai and Alexis Rapin, noted that all incidents involved droppers with a peculiar internal DLL name, DroneEXEHijackingLoader.dll, which steered the investigation toward the drone sector.
All three targeted companies manufacture military equipment or components, much of which is now utilized by the Ukrainian military in its conflict against Russian forces. At least two of the affected firms are known to develop UAV technologies: one specializes in critical drone components, while the other focuses on UAV-related software. Notably, during the timeframe of ESET”s observations, North Korean military personnel were reported to be stationed in Russia.
The researchers speculated that Operation DreamJob might have aimed to gather sensitive information regarding Western-made weapon systems currently deployed in the ongoing Russia-Ukraine war. Access to these companies was initially gained through social engineering techniques, followed by the deployment of a remote access trojan (RAT) named ScoringMathTea. This malware was delivered through a trojanized PDF reader disguised as a job description, enabling attackers to gain full control over the infected machines.
Since late 2022, the Lazarus Group has repeatedly utilized ScoringMathTea in various DreamJob campaigns. The UAV-themed nature of this latest operation coincides with reports indicating that Pyongyang is increasing its investments in domestic drone manufacturing capabilities.
ESET analysts uncovered that one targeted entity is involved in manufacturing at least two UAV models currently being used in Ukraine, which North Korea may have encountered in combat situations. Additionally, this entity is part of the supply chain for advanced single-rotor drones, a type of unmanned aircraft that North Korea is actively seeking to develop but has yet to successfully militarize.
These findings provide insight into the potential motivations behind the activities observed in Operation DreamJob. The attackers employed a range of malware-laden open-source droppers and loaders throughout this campaign, with variations across different attacks. The ultimate payload remains ScoringMathTea (also referred to as ForestTiger), a RAT capable of executing approximately 40 commands, allowing it to manipulate files and processes, collect system information, and facilitate the downloading of additional malware from command-and-control servers.
ESET has previously documented instances of ScoringMathTea being used in attacks targeting various organizations, including an Indian technology company, a Polish defense contractor, a British industrial automation firm, and an Italian aerospace company.
