Operation DreamJob: Lazarus Expands Espionage to Europe’s Drone Industry
- Ranjith Manne
- Jan 19
- 2 min read
ESET (Essential Security against Evolving Threats – a Slovakian Cybersecurity Company) researchers have uncovered a new wave of Operation DreamJob, a long-running espionage campaign linked to the North Korea aligned Lazarus Group, that specifically targets European companies involved in unmanned aerial vehicle (UAV) / drone design, manufacturing, and supply chains. ESET observed attacks against at least three Central and Southeastern European companies, including metal engineering, aircraft-component, and defense companies whose products or components are linked to UAV models currently used in Ukraine. The activity has been observed since March 2025, and ESET publicly disclosed its findings in late October 2025.
How It Happened?
Lazarus used phishing campaigns via fake job offers to trick engineers and contractors into running malicious files, plus trojanized open-source tools and DLL (Dynamic Link Library) side-loading, this a method where attackers misuse legitimate program files to secretly load malicious code to establish persistence and control.
Victims received recruitment style emails with “test” attachments or installers (PDF readers, trial apps) that tricked recipients into executing them.
The malicious attachments dropped loaders (for example, a component observed as DroneEXEHijackingLoader.dll) that abuse legitimate executables to load malware via DLL proxying/side-loading. This bypasses simple signature checks and lets code run inside trusted processes.
The main post-compromise tool is the ScoringMathTea RAT (Remote Access Trojan). It gives operators interactive control (file operations, reconnaissance, process control) and can load extra DLL plug-ins for additional functionality. ESET notes the RAT has been used in DreamJob campaigns since at least 2022.
In some cases, attackers also locally modified less-popular open-source projects (Notepad++, WinMerge plug-ins, MuPDF builds, etc.) and deployed those tampered binaries to targets to evade detection, rather than compromising GitHub accounts directly.
How is it known to the world?
ESET published a detailed research report and shared Indicators of Compromise (IoCs) describing the campaign, tactics, and malware samples on their official blog and GitHub repository. Major cybersecurity outlets like DarkReading, CSO, WeLiveSecurity and others reported on ESET’s findings, helping spread awareness and giving security teams the information needed to detect and defend against the attack.
What is the Impact?
The campaign aligns with North Korea’s current efforts to scale up its domestic drone program, ESET believes this as likely, based on target selection and geopolitical interest.
One of the targeted entities is involved in UAV production that similar to models currently used in Ukraine, and the attackers are likely to obtain manufacturing or design details for drones that North Korea is actively developing.
The use of fake job offers, trojanized open-source tools, and the ScoringMathTea RAT shows that the campaign is focused on espionage (stealing sensitive information or secrets for intelligence purposes) rather than financial gain.
What are the preventive measures?
??????
Sources
