Norks droning on about your dream job while pwning your PC

North Korea's Lazarus Group has successfully compromised Europe's unmanned aerial vehicle (UAV) sector with its Operation DreamJob campaign, which promises job seekers lucrative employment opportunities - but then delivers a malware-laced offer and a compromised computer.

Lazarus, Pyongyang's best-known cyberheist and espionage crew, is widely attributed to the Sony Pictures Entertainment hack in late 2014 and the WannaCry outbreak in 2017, although the group has been active since at least 2009. 

Its DreamJob campaigns have been around since 2020, and are characterized by their use of social engineering to lure job seekers with fake offers for high-profile positions - before tricking the victims into clicking on malicious links or documents. The targets are typically aerospace and defense firms, followed by engineering and technology companies, along with media and entertainment. Lazarus' goal in these attacks involves stealing IP and other sensitive data, conducting cyber spying missions, and also gaining financial data.

According to ESET Research, this latest campaign began in late March with attacks successfully hitting three European defense-sector companies. While the threat hunters don't name the organizations, they note that one is a metal engineering company in Southeastern Europe, another manufactures aircraft components in Central Europe, and the third is a defense company also in Central Europe.

"All cases involved droppers that have the interesting internal DLL name, DroneEXEHijackingLoader.dll, which led us down the drone segment rabbit hole," ESET researchers Peter Kálnai and Alexis Rapin said in a Thursday blog. 

All three victims make military equipment and/or parts, and much of this gear is being used by the Ukrainian military to fight Russian invaders. At least two of the companies develop UAV tech: one manufactures critical drone components and the other designs UAV-related software.

At the time ESET spotted this new campaign, North Korean soldiers were deployed in Russia. "It is thus possible that Operation DreamJob was interested in collecting sensitive information on some Western-made weapons systems currently employed in the Russia-Ukraine war," Kálnai and Rapin wrote.

In these attacks, the Norks gained initial access via social engineering before ultimately deploying a remote access trojan called ScoringMathTea - delivered via a trojanised PDF reader masquerading as a job description - that gives the attackers full control over the compromised machine. Lazarus has used this malware in multiple DreamJob attacks since late 2022.

The timing of the UAV-themed campaign also comes as Pyongyang is reportedly investing in domestic drone manufacturing capabilities. 

"We have found evidence that one of the targeted entities is involved in the production of at least two UAV models that are currently employed in Ukraine, and which North Korea may have encountered on the frontline," the ESET analysts wrote. 

"This entity is also involved in the supply chain of advanced single-rotor drones (i.e., unmanned helicopters), a type of aircraft that Pyongyang is actively developing but has not proved able to militarize so far," they added. "These may be some of the potential motivations behind Operation DreamJob's observed activities."

• North Korea's Lazarus Group shares its malware with IT work scammers
• Lazarus Group rises again, this time with malware-laden fake FOSS
• North Korea's Lazarus cyber-gang caught 'spying' on chemical sector companies
• Nork scammers work the blockchain to steal crypto from job hunters

The attackers used a variety of malware-laced open source droppers and loaders in this campaign, and they varied from one attack to another, but included:

• Trojanized TightVNC Viewer and MuPDF reader that serve as downloaders.
• A trojanized end-of-life libpcre v8.45 library for Windows, serving as a loader.
• A loader dubbed QuanPinLoader that has the Mandarin Chinese symbol 样 (yàng in the Pinyin transliteration) as an icon in the resources. It also contains the string SampleIMESimplifiedQuanPin.txt, which suggests that it is probably based on the open-source project Sample IME, a TSF-based input method editor demo. 
• Loaders built from the open-source project DirectX Wrappers.
• Downloaders built from open-source plugins for WinMerge (DisplayBinaryFiles and HideFirstLetter). ESET named the two trojanized plugins BinMergeLoader.
• Trojanized open-source plugins for Notepad++, specifically a downloader very similar to BinMergeLoader (NPPHexEditor v10.0.0 by MacKenzie Cumings) and a dropper of an unknown payload (ComparePlus v1.1.0 by Pavel Nedev). The latter binary contains the PDB path E:\Work\Troy\안정화\wksprt\comparePlus-master\Notepad++\plugins\ComparePlus\ComparePlus.pdb, which suggests the origin of the project (comparePlus-master) and its intended legitimate parent process (wksprt). 
• One of the droppers (SHA-1: 03D9B8F0FCF9173D2964CE7173D21E681DFA8DA4) has the internal DLL name DroneEXEHijackingLoader.dll and is disguised as a Windows Web Services Runtime library in order to be successfully side-loaded. The substring "drone" likely designates both a UAV device and the attacker's internal campaign name.

And then the final payload is ScoringMathTea (aka ForestTiger), a RAT that supports around 40 commands. It can manipulate files and processes, exchange configurations, collect victims' system info, open a TCP connection, and execute additional malware downloaded from the command-and-control server. 

ESET previously documented ScoringMathTea used in attacks against an Indian technology company in January 2023, a Polish defense company in March 2023, a British industrial automation company in October 2023, and an Italian aerospace company in September 2025. ®