North Korean state-sponsored hackers are reportedly targeting European defense companies with sophisticated phishing campaigns, using fake job offers to infiltrate their systems and steal sensitive drone technology. The operation, dubbed "Operation Dream Job," aims to bolster North Korea's growing drone program by acquiring proprietary information and manufacturing expertise.

Key Takeaways

• North Korean hackers are using fake job offers to target defense engineers.

• The primary goal is to steal drone technology and related intellectual property.

• Malware families like ScoringMathTea and MISTPEN are employed in these attacks.

• The campaign has been active since at least late March 2025.

Operation Dream Job Unveiled

Cybersecurity researchers have identified a persistent threat campaign linked to North Korea, specifically targeting companies involved in the unmanned aerial vehicle (UAV) sector. This operation, known as "Operation Dream Job," leverages social engineering tactics to trick defense engineers into downloading malware. The ultimate objective is to acquire valuable data and know-how crucial for advancing North Korea's drone capabilities.

Attack Methods and Malware

The attackers approach potential victims with enticing job opportunities, often presenting them with a decoy document containing a job description alongside a trojanized PDF reader. Upon opening the document, the malware is executed. This initial infection can lead to the deployment of advanced Remote Access Trojans (RATs) like ScoringMathTea, which allows attackers to gain complete control over compromised systems. Other malware families, such as MISTPEN, are also utilized, functioning as sophisticated downloaders that fetch additional malicious payloads.

Lazarus Group's Modus Operandi

"Operation Dream Job" is attributed to the prolific Lazarus Group, a notorious North Korean hacking collective also known by various other aliases. This group has been operational for over a decade and has consistently employed similar tactics, including the use of ScoringMathTea and the trojanization of open-source applications. Their methods, while predictable, have proven effective in evading security detection and achieving their espionage objectives.

Targeted Industries and Timeline

The campaign, which ESET researchers observed starting in late March 2025, has targeted several entities, including a metal engineering firm in Southeastern Europe, an aircraft component manufacturer in Central Europe, and another defense company in Central Europe. ScoringMathTea has been previously linked to attacks on Indian technology firms and Polish defense contractors, while MISTPEN has been observed in intrusions targeting energy and aerospace companies.

Sources

• North Korean Hackers Lure Defense Engineers With Fake Jobs to Steal Drone Secrets, The Hacker News.