Lazarus Targets European UAV Sector with Operation Dream Job Attacks

A new wave of cyber espionage attacks attributed to North Korea’s Lazarus Group (also tracked as Diamond Sleet, Hidden Cobra, and Zinc) has been observed targeting European defense and aerospace organizations involved in the unmanned aerial vehicle (UAV) sector. The campaign, detailed by ESET, continues the long-running Operation Dream Job, a social engineering operation that uses fake job offers to compromise high-value targets.

Background: The Evolution of Operation Dream Job

Since at least 2009, Lazarus has operated as a state-sponsored hacking group under the North Korean regime. Over the years, the group has launched numerous attacks across industries, including aerospace, defense, technology, and media.

The “Dream Job” campaign first gained notoriety for using fraudulent employment offers to target professionals with specialized expertise. Victims were lured into downloading malware disguised as job-related documents, granting attackers access to sensitive systems and intellectual property.

Recent Campaign: Focus on European Defense Firms

Between March and September 2025, ESET researchers identified several targeted intrusions against European organizations, including:

• A metal engineering company

• An aircraft component manufacturer

• A defense firm developing drone technologies

Attackers sent phishing emails with ZIP file attachments or cloud-hosted links (e.g., Google Drive). These archives contained both a decoy job description PDF and a trojanized open-source PDF reader that installed the ScoringMathTea remote access trojan (RAT).

Once deployed, ScoringMathTea provided Lazarus with full control of the infected system, enabling data theft, espionage, and further lateral movement within the network.

Strategic Motives and Technical Analysis

ESET suggests the campaign’s timing and focus indicate an interest in UAV-related technologies, especially those used in European military assistance to Ukraine. North Korea’s recent involvement in the Russia-Ukraine conflict and its collaboration with Russian forces reinforce this connection.

Technical analysis revealed that all droppers used in the attacks shared a common DLL referencing “drone”, signaling Lazarus’s intent to obtain drone manufacturing designs, control software, and production methods.

This aligns with reports that Pyongyang is accelerating its domestic UAV development program, supported by Russian and Iranian technologies. Current evidence indicates North Korea is producing reverse-engineered variants of Western drones such as the RQ-4 Global Hawk and MQ-9 Reaper.

Implications and Conclusions

ESET concludes that Operation Dream Job’s recent evolution reflects North Korea’s shift toward targeted cyber espionage aimed at enhancing its military technology base.
The attacks demonstrate Lazarus’s persistence, adaptability, and growing sophistication in combining social engineering, custom malware, and strategic intelligence collection to advance state objectives.

The findings also underscore the need for defense contractors and aerospace manufacturers to harden security awareness, deploy advanced endpoint protection, and monitor for malware masquerading as legitimate applications or documents.