Operation DreamJob: Lazarus Targets European Drone Makers with Malware Lures
The Lazarus hacking group has resurfaced—this time targeting European defence firms engaged in unmanned aerial systems development. ESET traces the activity to the DreamJob campaign, attributed to North Korea, which habitually employs bogus job offers to infect targets with malware.
On this occasion three companies in Central and Southeastern Europe were compromised, including a supplier of drone components and a developer of drone software. Initial access was obtained via malicious PDF readers bundled with purported job descriptions.
The primary tool deployed in this wave was the remote-access Trojan ScoringMathTea, previously observed in similar operations. The malware afforded the attackers full control of infected hosts—remote command execution, data exfiltration, and the deployment of additional modules. Command-and-control infrastructure was hosted within WordPress directories on compromised websites. Notably, analysts observed a library bearing the word “drone” in its name, a detail that suggests a deliberate interest in unmanned aerial technology.
Viewed against the geopolitical backdrop, ESET judges the campaign consistent with state-sponsored intelligence collection; however, it may also have sought information to accelerate Pyongyang’s own UAV programs. Open-source imagery and reporting indicate North Korea’s recent drone designs echo U.S. platforms such as the RQ-4 Global Hawk and MQ-9 Reaper, making Western engineering know-how particularly valuable.
Technically, the 2025 operations employed an updated toolkit. Alongside ScoringMathTea, operators used trojanized builds of libpcre, TightVNC, WinMerge and Notepad++ plugins, and a malicious loader dubbed QuanPinLoader disguised as a DirectInput library. DLL proxying was a common implantation method: malicious libraries exported legitimate functions while embedding harmful payloads.
Intriguingly, many components were disseminated via compromised open-source projects on GitHub, tailored to each victim. One dropper masqueraded as a Windows webservices.dll and bore the internal name DroneEXEHijackingLoader.dll—another pointer to the campaign’s UAV focus.
The infection chain remained familiar: recipients received emails touting prestigious vacancies with attachments that, when opened, triggered a cascade of loaders. In one incident in Italy, poisoned variants of the MuPDF reader, Notepad++ plugins, and even Microsoft components were delivered. The endgame in each case was deployment of ScoringMathTea, which ESET notes has been used in similar intrusions since at least 2022 across India, Poland, the U.K., and Italy.
Despite the group’s recognizable tradecraft and public exposure, Lazarus continues to succeed through measured variation, technical refinement, and gaps in employee awareness within sensitive sectors. As North Korea expands drone production and shows clear interest in exporting military technologies, espionage directed at the unmanned systems sector is likely to intensify.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
