North Korean state-sponsored group Lazarus is aiming at European companies tied to the unmanned aerial vehicle (UAV) sector in new attacks as part of Operation Dream Job, ESET reports.
Also tracked as Diamond Sleet, Hidden Cobra, and Zinc, the Lazarus Group has been active since at least 2009, and has been blamed for numerous high-profile hacks.
Over the past half a decade, the threat actor has been engaging in intrusion campaigns that relied on fake job offers targeting individuals in the aerospace, defense, engineering, media and entertainment, and technology sectors.
The “dream job” offers were meant to infect the victims’ systems with various backdoors. This has provided Lazarus with a foothold into the individuals’ organizations, allowing it to steal intellectual property and other sensitive information.
Starting March 2025, ESET notes in a new report, similar Operation Dream Job attacks have been targeting European companies in the defense sector, including a metal engineering company, an aircraft components manufacturer, and a defense company.
Relying on social engineering, Lazarus used fake job offers to send a decoy document with a job description to its victims. The document was accompanied by a trojanized open source PDF reader, which deployed the ScoringMathTea remote access trojan.
First observed in 2022 and used numerous times in Operation Dream Job attacks, the malware provides the attackers with full control over the infected systems and relies on compromised servers for command-and-control (C&C) communication.
According to ESET, the campaign could be focused on collecting information on weapon systems deployed in Ukraine as part of European countries’ military assistance. The attacks occurred while North Korean soldiers were active in Russia to reportedly help repel Ukraine’s offensive in the Kursk region.
At the same time, the victim organizations produce materials that North Korea manufactures domestically, and the intrusions could be aimed at gathering information to perfect designs and processes. A DLL in all droppers used in these attacks suggests a focus on drone manufacturers.
At least two of the victims are heavily involved in the development of UAV technology. One of them makes critical drone components, while the other is reportedly engaged in building UAV-related software.
“The interest in UAV-related know-how is notable, as it echoes recent media reports indicating that Pyongyang is investing heavily in domestic drone manufacturing capabilities,” ESET notes.
Reportedly, North Korea is reinforcing its drone program based on its recent experience with modern warfare as part of the Russia-Ukraine war, and is receiving assistance from Russia to produce its version of the Iranian-made Shahed drone, as well as low-cost attack UAVs for export.
As ESET points out, North Korea has developed its domestic UAV capabilities through reverse engineering and the theft of intellectual property, and its Saetbyol‑4 and Saetbyol‑9 drones are copies of the Northrop Grumman RQ‑4 Global Hawk and General Atomics MQ‑9 Reaper, respectively.
“In this context, we believe that it is likely that Operation DreamJob was – at least partially – aimed at stealing proprietary information, and manufacturing know-how, regarding UAVs. The ‘Drone’ mention observed in one of the droppers significantly reinforces this hypothesis,” ESET notes.
Related: North Korean Hackers Have Stolen $2 Billion in Cryptocurrency in 2025
Related: North Korea’s Fake Recruiters Feed Stolen Data to IT Workers
Related: North Korean Hackers Take Over Victims’ Systems Using Zoom Meeting
Related: North Korean Hackers Distributed Android Spyware via Google Play
