Lazarus Group now using fake job ads to target European drone manufacturers
A fresh wave of Operation DreamJob, a long-term campaign linked to North Korea’s Lazarus Group, is targeting European defense contractors – mostly firms involved in drone and UAV development, researchers say.
ESET, a Slovak cybersecurity firm, says the new instance of Operation DreamJob suggests that it’s linked to North Korea’s current efforts to scale up its drone program.
The attackers, active since at least 2009 and responsible for high-profile incidents such as the Sony Pictures Entertainment hack, went after three defense companies in Central and Southeastern Europe, likely gaining access through carefully crafted social engineering lures.
Just like in earlier operations, where Lazarus Group targeted the chemical sector, IT and financial companies, targets were attracted to a lucrative job offer and lured to execute trojanized PDF readers or Virtual Network Computing (VNC) tools.
“This social engineering technique seems to have been working well for several years, suggesting that many employees still have insufficient awareness of the tactic,” ESET explained in its blog post.
Once inside, they deployed a remote-access trojan (RAT) known as ScoringMathTea, which gives the attackers control of the infected systems. The researchers believe the main goal was to steal proprietary data and sensitive manufacturing know-how.
The targeted sectors include defense, metal engineering, and the UAV sector. The attackers themselves left a telling clue: the keyword “drone” in their payloads, directly suggesting one of their goals.
The three targeted organizations – which remain unnamed – manufacture different types of military equipment, many of which are currently deployed in Ukraine as a result of European countries’ military assistance.
#ESETresearch discovered a new wave of the well-known 🇰🇵 Lazarus campaign Operation DreamJob, now targeting the drone industry. @pkalnai @alexis_rapin https://t.co/lR9FTFnCCN 1/9
undefined ESET Research (@ESETresearch) October 23, 2025
At the time of Operation DreamJob’s observed activity, North Korean soldiers were deployed in Russia, reportedly to help Moscow repel Ukraine’s offensive in Russia’s Kursk region.
According to ESET researchers, it is thus possible that Operation DreamJob was interested in collecting sensitive information on Western-made weapons systems currently employed in the Russia-Ukraine war.
“We have found evidence that one of the targeted entities is involved in the production of at least two UAV models that are currently employed in Ukraine, and which North Korea may have encountered on the front line,” said Alexis Rapin, an ESET cyberthreat analyst.
Operation DreamJob is a codename for Lazarus campaigns that rely primarily on social engineering, specifically using fake job offers for prestigious or high-profile positions.
“This entity is also involved in the supply chain of advanced single-rotor drones, a type of aircraft that Pyongyang is actively developing.”
Operation DreamJob is a codename for Lazarus campaigns that rely primarily on social engineering, specifically using fake job offers for prestigious or high-profile positions – the “dream job” lure.
Targets are predominantly in the aerospace and defense sectors, followed by engineering and technology companies, and the media and entertainment sector.
Lazarus Group is associated with the North Korean government’s Reconnaissance General Bureau. Its operations contribute to the country’s not-so-secretive development of nuclear weapons.
Unlock more exclusive Cybernews content on YouTube.
