The North Korean state-sponsored hacking group Lazarus has breached multiple European defense contractors as part of a stealth espionage campaign targeting the continent’s drone-technology ecosystem.
According to cybersecurity firm ESET, three companies — a metal engineering firm in Southeastern Europe, an aircraft parts manufacturer, and a Central European defense supplier — were compromised earlier this year in a sophisticated phishing operation disguised as a recruitment drive.
The campaign, dubbed Operation DreamJob, is one of Lazarus’s most persistent tactics. It involves hackers impersonating recruiters from major firms to approach engineers and executives with lucrative job offers. Once the targets engage, they are persuaded to download malicious attachments — granting Lazarus covert access to internal systems.
In this latest wave, the attackers focused on organizations contributing to unmanned aerial vehicle (UAV) research and production — a sector critical to the ongoing war in Ukraine and one that analysts say Pyongyang seeks to emulate as it builds its own drone arsenal.
The Anatomy of a False Opportunity
ESET researchers observed the attacks beginning in late March 2025, with phishing messages distributed via LinkedIn and email, often referencing legitimate aerospace companies.
The infection chain began when victims downloaded trojanized open-source tools — including MuPDF Viewer, Notepad++, and TightVNC Viewer — altered to execute malicious code through DLL sideloading, a technique that tricks legitimate software into loading hidden malware.
RBI’s Draft 238 Proposes Major Banking Overhaul Ahead of 2026
Once executed, the malicious payload decrypted and deployed the ScoringMathTea remote access trojan (RAT), a versatile surveillance tool capable of executing over 40 commands. These range from file manipulation and command execution to retrieving new payloads from Lazarus’s command-and-control (C2) servers.
In some cases, researchers noted the use of an alternate loader, BinMergeLoader (MISTPEN), which abused Microsoft Graph API tokens to fetch additional malware. The infection chain, ESET said, demonstrated Lazarus’s “continued operational discipline and technical adaptability.”
Drone Warfare and the Espionage Race
The timing and target profile of the operation align with North Korea’s push to develop its drone warfare capabilities, inspired by Western designs observed in Ukraine.
Two of the compromised European companies reportedly build critical UAV components and software systems, while all three produce military hardware currently being used in Eastern Europe’s conflict zones.
For North Korea — cut off from most international defense partnerships — cyber-espionage has become a key vector for technological acquisition. Lazarus’s focus on UAV development reflects Pyongyang’s broader strategy: learning from adversaries’ innovations through infiltration rather than invention.
“The geopolitical context is clear,” ESET noted. “These are firms working on technologies that North Korea desperately wants to replicate.”
Persistence Through Exposure
Despite years of exposure and sanctions, Operation DreamJob remains a favored Lazarus toolset — and one that continues to succeed. Its strength lies not in technical novelty but in psychological precision: exploiting ambition and trust.
Lazarus has previously deployed similar schemes against cryptocurrency platforms, DeFi projects, and security researchers, often using LinkedIn or messaging apps to lure professionals with fake positions. Each campaign follows the same pattern — personal outreach, trust-building, and finally, infection.
ESET’s latest findings include detailed indicators of compromise (IoCs) linked to Lazarus’s infrastructure, along with evidence that the group’s Phoenix-linked development team continues to refine its loaders and remote-access implants.
As one ESET analyst summarized: “The DreamJob playbook works because human nature doesn’t patch as fast as software.”
