Lazarus hackers, a state-sponsored North Korean cyber espionage group also known as HIDDEN COBRA, are actively targeting European drone manufacturing companies with a new cyberespionage campaign dubbed Operation DreamJob. This sophisticated operation, which began in late March 2025, aims to steal proprietary information and intellectual property from organizations developing unmanned aerial vehicle (UAV) technology. The attacks underscore North Korea’s strategic interest in advancing its domestic drone program, particularly in light of modern warfare capabilities being demonstrated in ongoing global conflicts.
The campaign specifically focuses on Unmanned Aerial Vehicle (UAV) technology developers throughout Central and Southeastern Europe. Researchers have identified at least three European companies as targets, with two of them significantly involved in designing advanced single-rotor drones and producing critical components for UAVs currently used in active conflict zones. The timing of these attacks aligns with North Korea’s reported efforts to accelerate the mass production of combat and reconnaissance drones, mirroring Western models such as the MQ-9 Reaper and RQ-4 Global Hawk.
Lazarus Hackers Focus on Drone Technology Amidst Geopolitical Shifts
The Lazarus group’s renewed focus on drone manufacturing highlights a broader geopolitical strategy. Analysts suggest that North Korea is seeking to bridge technological gaps by acquiring advanced designs and manufacturing techniques through cyber means. This is particularly relevant given the observed use of drones in recent conflicts, which has emphasized their importance in reconnaissance, surveillance, and strike operations. By targeting European manufacturers, Lazarus aims to gain a critical advantage in developing its own indigenous drone capabilities, potentially reducing its reliance on external suppliers and accelerating its military modernization efforts.
The observed attacks utilize advanced malware infrastructure and sophisticated delivery mechanisms designed to bypass conventional cybersecurity defenses. Welivesecurity researchers have detailed the execution chains employed in Operation DreamJob, which leverage social engineering tactics to infiltrate target networks. This approach involves the distribution of seemingly legitimate job offers, enticing employees to download trojanized documents that initiate the infection process.
Infection Mechanism and Evasion Techniques
The primary infection vector identified in Operation DreamJob is DLL side-loading, a technique that exploits legitimate Windows applications to load malicious libraries without raising immediate security alarms. Attackers have embedded their malware within trojanized versions of widely used open-source software, including TightVNC Viewer, MuPDF reader, and WinMerge plugins. In one notable instance, a dropper file was found with the internal name DroneEXEHijackingLoader.dll, directly indicating the attackers’ specific interest in drone technology.
The principal payload deployed throughout these incidents is ScoringMathTea, a potent remote access trojan (RAT). This malware grants attackers extensive control over compromised systems, offering approximately 40 distinct commands for system manipulation, data exfiltration, and the deployment of further malicious payloads. A key feature that elevates the danger of ScoringMathTea is its ability to remain completely encrypted while stored on disk, only decrypting in memory during execution. This makes traditional file-based detection methods significantly less effective, necessitating advanced behavioral monitoring solutions for effective threat detection.
The continued and evolving threat posed by the Lazarus group’s operations is of significant concern to the European aerospace and defense sectors. The sophisticated nature of Operation DreamJob underscores the need for heightened vigilance and robust cybersecurity measures within these critical industries. The group’s ability to adapt its tactics and target specific technological advancements highlights the persistent threat of nation-state-backed cyber espionage. The ongoing investigations into these attacks will likely focus on identifying the full extent of compromised data and the broader implications for European defense capabilities. The next steps will likely involve further analysis of the malware’s capabilities and attribution efforts, as well as the implementation of enhanced security protocols by affected companies and cybersecurity agencies.