Full Report
ESET research analyzes a recent instance of the Operation DreamJob cyberespionage campaign conducted by Lazarus, a North Korea-aligned APT group
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
**Attribution:** North Korea-aligned Advanced Persistent Threat (APT) group.
**Known Aliases:** HIDDEN COBRA.
**Associated Groups/Operations:** Operation DreamJob, DeathNote, Operation North Star.
## Activity Summary
Lazarus was observed conducting a recent instance of the **Operation DreamJob** cyberespionage campaign, targeting several European companies active in the defense sector, particularly those involved in the Unmanned Aerial Vehicle (UAV) sector. The primary goal appears to be cyberespionage, focusing on stealing proprietary information and manufacturing know-how, which aligns with North Korea's reported focus on scaling up its drone program. The latest observed activity began in late March 2025.
## Tactics, Techniques & Procedures
- **Initial Access:** Social engineering, leveraging fake job offers ("dream job" lure) leading to the use of trojanized open-source projects (from GitHub) as droppers/loaders.
- **Execution/Persistence:** Deployment of trojanized open-source plugins for software like Notepad++ and WinMerge.
- **Defense Evasion:** Introduction of new libraries designed for DLL Proxying; reflective DLL injection (T1055).
- **Payload Delivery:** Droppers/loaders contain an embedded data array with an additional stage (T1620).
- **Obfuscation:** Payloads (like ScoringMathTea) are encrypted on the file system (T1027.007) and use dynamic API resolution (T1027.009).
- **Privilege Escalation:** ScoringMathTea can create a new process using the existing security context via Access Token Manipulation (T1140).
- **Discovery:** File and Directory Discovery (T1083), Process Discovery (T1057), System Information Discovery (T1082).
- **Command and Control (C2):** Utilizes Web Protocols (HTTP/HTTPS) (T1071.001). C2 traffic is encrypted using Symmetric Cryptography (T1573.001) and layered with Base64 encoding (T1132.001).
- **Exfiltration:** Exfiltration Over C2 Channel (T1041).
## Targeting
- **Sectors:** Aerospace and Defense industry, Engineering and Technology companies. Specifically targeted companies involved in the **Unmanned Aerial Vehicle (UAV) sector**.
- **Geography:** European companies (Southeastern Europe and Central Europe mentioned).
- **Victims:** A metal engineering company, a manufacturer of aircraft components, and a defense company across Europe.
## Tools & Infrastructure
- **Malware Families Used:** **ScoringMathTea** (main payload), **BinMergeLoader**, ImprudentCook, BlindingCan, miniBlindingCan, LightlessCan, SimplexTea (Linux).
- **Droppers/Loaders:** Custom droppers noted with the internal DLL name `DroneEXEHijackingLoader.dll`.
- **Infrastructure:** Uses HTTP/HTTPS for C2 communication. (No specific URLs or IPs were provided in the summary text to defang). Encryption schemes included IDEA (ScoringMathTea) and AES (BinMergeLoader).
## Implications
Lazarus's focus on the UAV sector directly supports North Korea's documented efforts to enhance its drone capabilities. The successful compromise of European defense contractors via sophisticated social engineering and evolving malware techniques indicates a continued, high-priority intelligence collection effort targeting sensitive defense technology.
## Mitigations
- Implement stringent social engineering awareness training focused on recognizing fake/high-value job offers.
- Scrutinize and validate all attachments and documents received via lures associated with job applications.
- Monitor for reflective DLL injection techniques (T1055) and unusual process creation from legitimate applications.
- Harden systems against data exfiltration attempts over standard web protocols, looking for unusual C2 encryption patterns.
- Be wary of trojanized open-source projects, even those sourced from platforms like GitHub.