A prevalent cyber threat, dubbed Operation DreamJob, has been observed actively targeting the manufacturing industry with sophisticated social engineering tactics. In August 2025, this operation successfully infiltrated an Asian subsidiary of a major European manufacturing company by disguising malicious payloads as attractive job opportunities delivered via WhatsApp Web. This incident highlights the evolving methods threat actors employ to breach high-value targets within the crucial manufacturing sector.
The campaign’s intricate attack chain began when a project engineer within the targeted organization received a seemingly legitimate job-related message on WhatsApp Web. The message prompted the recipient to download and extract a ZIP archive. This archive contained a malicious PDF file, a genuine open-source document viewer named SumatraPDF.exe, and a malicious DLL file identified as libmupdf.dll. This combination enabled a DLL sideloading technique, where the legitimate SumatraPDF executable was tricked into loading the malicious library, effectively weaponizing a trusted application.
Operation DreamJob Exploits WhatsApp Web for Manufacturing Sector Infiltration
Security analysts from Orange Cyberdefense have investigated the Operation DreamJob incident, attributing the attack with medium confidence to the North Korean UNC2970 threat cluster. Their analysis revealed the use of advanced malware variants, specifically BURNBOOK and MISTPEN, alongside compromised SharePoint and WordPress infrastructure for command and control (C2) operations. The threat actors maintained a persistent presence within the compromised network for at least six consecutive hours, conducting hands-on keyboard activities throughout the intrusion.
Upon opening the deceptive PDF document, the SumatraPDF executable unwittingly sideloaded the malicious libmupdf.dll file, which researchers confirmed to be a recent BURNBOOK loader variant. This backdoor served as the initial entry point for the attackers, allowing them to commence reconnaissance activities within the manufacturing company’s network. The successful execution of this phase demonstrated the attackers’ ability to leverage trusted software and communication channels for malicious purposes.
Advanced Persistence and Lateral Movement Mechanisms
Following the initial infiltration, the threat actors employed a range of advanced techniques to broaden their access and establish a more entrenched presence across the manufacturing network. This involved extensive engagement with the network’s infrastructure to identify potential targets and further their objectives.
The attackers meticulously performed a high volume of Lightweight Directory Access Protocol (LDAP) queries against Active Directory. This enumeration process aimed to gather comprehensive intelligence on users and computers within the domain, a critical step for planning effective lateral movement operations. Such detailed mapping of the network environment allowed the threat actors to identify the most opportune paths for expansion.
Subsequently, the threat actors successfully compromised both backup and administrative accounts. They utilized pass-the-hash techniques, a method that bypasses the need for plaintext passwords by leveraging extracted NTLM password hashes for network authentication. This allowed them to gain privileged access equivalent to that of legitimate administrators, significantly increasing their capabilities within the network.
With their elevated privileges, the attackers deployed an additional payload, TSVIPsrv.dll, identified as a MISTPEN backdoor variant. This malware was designed to decrypt and execute a component named wordpad.dll.mui directly in memory, further obscuring their activities. This malicious module then established connections to compromised SharePoint servers, utilizing them for covert command and control communications.
The final stage of the operation involved the deployment of Release_PvPlugin_x64.dll. This module functioned as an information-stealing component, meticulously designed to exfiltrate sensitive data from the compromised systems. The successful exfiltration of data would represent the culmination of their efforts, potentially impacting the manufacturing organization’s intellectual property, client information, or operational secrets.
The ongoing threat posed by Operation DreamJob and similar campaigns underscores the critical need for robust cybersecurity measures within the manufacturing sector. Organizations must prioritize employee training on social engineering tactics, implement advanced endpoint detection and response (EDR) solutions, and maintain vigilant monitoring of network traffic for anomalous activity. The continued evolution of attack vectors, such as the exploitation of messaging platforms and legitimate software, demands a proactive and adaptive security posture.