Threat actors linked to North Korea have been connected to a new wave of attacks targeting European companies in the defense industry. These operations are part of the long running campaign known as Operation Dream Job.
Targeting UAV Technology
Security researchers at ESET believe the campaign is focused on gathering proprietary information and manufacturing knowledge, particularly targeting companies heavily involved in the unmanned aerial vehicle (UAV) sector. This suggests the operation is likely tied to North Korea's current efforts to rapidly expand its drone program.
The attacks, which ESET observed beginning in late March 2025, focused on several European entities, including a metal engineering company in Southeastern Europe, a manufacturer of aircraft components in Central Europe, and a defense company also in Central Europe.
Malware and Infection Chain
The hackers used two primary malware families in the campaign: ScoringMathTea and MISTPEN. ScoringMathTea, also known as ForestTiger has been active since at least 2022 and was previously seen targeting defense contractors. MISTPEN was documented recently in connection with intrusions aimed at energy and aerospace firms.
Operation Dream Job is a persistent attack campaign mounted by the prolific North Korean hacking group known as Lazarus Group. The group leverages social engineering lures that resemble Contagious Interview tactics. The threat actors approach prospective targets with lucrative, but fake, job opportunities to trick them into infecting their systems with malware.
The dominant attack sequence involves the target receiving a decoy document, such as a job description, and a trojanized PDF reader to open it. This leads to the execution of a binary which then side loads a malicious DLL. This DLL drops the advanced remote access trojan (RAT) ScoringMathTea, or a sophisticated downloader codenamed BinMergeLoader, which functions similarly to MISTPEN. The goal is always to achieve complete control over the compromised machines.
ESET noted that for nearly three years, Lazarus has maintained this consistent and predictable, yet effective, strategy. They continuously trojanize open source applications, a tactic which provides sufficient variation to evade security detection, even if it is not enough to mask the group's true identity.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
