- Lazarus Group used fake job offers to infect Southeastern European drone firms with malware
- Attackers stole proprietary UAV data and deployed a RAT for full system control
- Targeted drones are used in Ukraine; North Korea is developing similar aircraft
Infamous North Korean state-sponsored threat actors, Lazarus Group, have been targeting Southeastern European defense firms with their Operation DreamJob scams.
Security researchers at ESET claim the goal of the attacks was to steal the know-how and other proprietary information on unmanned aerial vehicles (UAV) and drones.
Lazarus is known for its work in supporting North Korea’s weapons development program. This is usually done by attacking crypto firms, stealing money, and then using it to fund research and development. In this case, the operation is somewhat different, but the goal is the same.
ScoringMathTea
Operation DreamJob is Lazarus’ signature move. The group would create fake companies, fake personas, and fake jobs, and then reach out to their targets, offering lucrative positions.
People who take the bait are usually invited to multiple rounds of “job interviews” and trials, in which they are asked to download PDF files, programs, apps, and code.
However, instead of actually completing any “trials”, the victims would simply be downloading malware.
ESET says the attacks took place at approximately the same time when North Korean soldiers were in Russia, assisting the Russian army in the Kursk region, which was in late 2024. At least three companies were breached, and information on how to build drones was stolen.
The researchers explained that North Korea is building drones of its own, and that many of the materials used in Eastern European drones are also used in North Korea. They also explained that many of the drones designed in Eastern Europe are being used in the Ukrainian war, which is why they were of particular interest to Lazarus.
After breaching their targets, the attackers would deploy ScoringMathTea, a remote access trojan (RAT) that grants full control over the compromised machine.
“We believe that it is likely that Operation DreamJob was – at least partially – aimed at stealing proprietary information, and manufacturing know-how, regarding UAVs. The drone mention observed in one of the droppers significantly reinforces this hypothesis,” says ESET researcher Peter Kálnai, who discovered and analyzed these latest Lazarus attacks.
“We have found evidence that one of the targeted entities is involved in the production of at least two UAV models that are currently employed in Ukraine, and which North Korea may have encountered on the front line. This entity is also involved in the supply chain of advanced single-rotor drones, a type of aircraft that Pyongyang is actively developing,” adds Alexis Rapin, ESET cyberthreat analyst.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.