Full Report
Threat actors with ties to North Korea have been attributed to a new wave of attacks targeting European companies active in the defense industry as part of a long-running campaign known as Operation Dream Job. "Some of these [companies' are heavily involved in the unmanned aerial vehicle (UAV) sector, suggesting that the operation may be linked to North Korea's current efforts to scale up its
Analysis Summary
# Threat Actor: Lazarus Group (and associated clusters)
## Attribution & Identity
* **Attribution:** Threat actors with ties to North Korea.
* **Known Aliases and Associated Groups:** Lazarus Group, APT-Q-1, Black Artemis, Diamond Sleet (formerly Zinc), Hidden Cobra, TEMP.Hermit, UNC2970.
* **Associated Clusters/Campaigns:** DeathNote, NukeSped, Operation In(ter)ception, Operation North Star.
## Activity Summary
The actors are currently engaged in a long-running cyber espionage campaign known as **Operation Dream Job**, first exposed in 2020. The latest observed activity wave began in late March 2025, targeting European defense industry companies, specifically those involved in the Unmanned Aerial Vehicle (UAV) sector, aligning with North Korea's drone program scaling efforts. Historically, the actor has been operational since at least 2009 and previously targeted entities in India and Poland (early 2023). The primary objective of Operation Dream Job is to steal proprietary information and manufacturing know-how.
## Tactics, Techniques & Procedures
* **Social Engineering:** Leveraging spearphishing lures involving "lucrative but faux job offers" (akin to Contagious Interview). Targets are approached with fake job opportunities to gain initial access.
* **Initial Compromise:** Targets receive a decoy document containing a job description and a trojanized PDF reader file to open it.
* **Execution Chain:** The attack chain leads to binary execution, which is responsible for sideloading a malicious DLL.
* **Payload Deployment:** The DLL drops the main payload, **ScoringMathTea**, and a sophisticated downloader, **BinMergeLoader**.
* **Secondary Payload Fetching:** BinMergeLoader utilizes Microsoft Graph API and tokens to fetch additional payloads.
* **Polymorphism:** The group consistently deploys ScoringMathTea using similar methods to trojanize open-source applications, employing polymorphism to evade detection.
## Targeting
* **Sectors:** Defense Industry, Aerospace, Drone/UAV Sector, Metal Engineering, Aircraft Component Manufacturing.
* **Geography:** Europe (Southeastern Europe, Central Europe).
* **Victims:** Specific entities mentioned include a metal engineering company in Southeastern Europe, a manufacturer of aircraft components in Central Europe, and a defense company in Central Europe.
## Tools & Infrastructure
* **Malware families used:**
* **ScoringMathTea:** Advanced Remote Access Trojan (RAT) supporting approximately 40 commands to achieve full control. (Also known as ForestTiger).
* **MISTPEN:** Used in connection with this campaign, though BinMergeLoader functions similarly.
* **BinMergeLoader:** Sophisticated downloader used to fetch additional payloads.
* **Infrastructure:** Specific IPs/URLs were not detailed in the summary, though the use of Microsoft Graph API for payload fetching is noted.
## Implications
This activity signifies a strategic focus by North Korea on acquiring sensitive technology related to drone development from European defense contractors. The consistent use of high-touch social engineering (fake job offers) combined with established, polymorphic malware like ScoringMathTea suggests a well-resourced and patient cyber espionage apparatus dedicated to military-technological gain.
## Mitigations
* Implement strict verification processes for unexpected job offers or unsolicited communications, especially those leading to file execution.
* Enhance endpoint detection and response capabilities to monitor for DLL sideloading techniques.
* Review configurations related to Microsoft Graph API usage and token authentication for anomalous activity indicative of third-party payload retrieval.
* Train personnel, particularly engineering and R&D staff, on social engineering tactics focused on career opportunities.