Full Report
Researchers at ESET said they found evidence of a new tentacle of the long-running Operation DreamJob campaign — where North Korea’s Lazarus group sends malware-laden emails purporting to be from recruiters at top companies.
Analysis Summary
# Threat Actor: Lazarus Group (North Korean)
## Attribution & Identity
Lazarus Group is identified as a prolific North Korean hacking group. This specific activity is noted as a new tentacle of the long-running **Operation DreamJob** campaign.
## Activity Summary
The group is actively targeting at least three European companies involved in the manufacturing of drones and other military equipment. This activity is linked to Operation DreamJob, which utilizes fake recruiter emails to deliver malware. The primary goal of this recent activity appears to be stealing proprietary information and manufacturing know-how related to unmanned aerial vehicles (UAVs). ESET researchers theorize the intelligence is sought to aid North Korean soldiers deployed in Russia (allegedly operating reconnaissance drones against Ukrainian positions) and to assist in domestic UAV development. The campaign has been tracked since 2020.
## Tactics, Techniques & Procedures
- **Spearphishing:** Delivering malicious payloads via emails disguised as lucrative, fake job offers, often purporting to be from major corporations (e.g., Airbus in past attacks).
- **Social Engineering:** Using social engineering tactics related to recruitment campaigns (Operation DreamJob).
- **Payload Delivery:** Distributing malware attached to PDFs containing the fake job descriptions.
- **Information Stealing/System Takeover:** Deployment of the **ScoringMathTea** malware to seize control of infected machines and exfiltrate data.
- **Persistence/Lateral Movement (Implied):** ScoringMathTea provides a gateway for further actions after system takeover.
- **Trojanization:** Lazarus has historically used similar methods to trojanize open-source applications.
## Targeting
- **Sectors:** Defense sector, companies manufacturing drones and military equipment/parts.
- **Geography:** Central and Southeastern Europe (recent targets). Previous victims tracked included organizations in Portugal, Germany, India, Poland, the U.K., and Italy.
- **Victims:** European companies involved in manufacturing UAVs or components used in Ukraine. ESET noted one target manufactures UAVs used in Ukraine and supplies parts for advanced single-rotor drones.
## Tools & Infrastructure
- **Malware families used:** **ScoringMathTea** (main payload utilized in this campaign, tracked since October 2022).
- **Infrastructure (C2, domains, IPs):** Not explicitly detailed in the summary, but the attack vector utilized emails spoofing legitimate recruiters and sometimes spoofing links to legitimate job sites like Indeed and ZipRecruiter (in past related activities).
## Implications
This activity directly links cyber espionage to current geopolitical conflicts (the war in Ukraine), indicating North Korea is actively seeking foreign military technology to improve its domestic capabilities and support its deployed troops abroad. The consistent use of Operation DreamJob demonstrates the long-term effectiveness of their specialized espionage campaign against defense supply chains. Lazarus remains a diversified threat, also known for extensive financial theft (cryptocurrency) and IT worker schemes.
## Mitigations
- **Email Security:** Enhance email filtering and threat detection specifically targeting unsolicited job offers or unexpected attachments/PDFs, especially those containing recruitment themes targeting high-value engineering or defense staff.
- **Application Control:** Limit the execution of downloaded executables, particularly from documents like PDFs, potentially restricting macro/script execution within documents.
- **Endpoint Detection and Response (EDR):** Implement robust EDR solutions capable of detecting process injection or unusual system activity initiated by file execution that is characteristic of information-stealing payloads like ScoringMathTea.
- **Supply Chain Vetting:** Increase security scrutiny of communications surrounding vendors dealing with sensitive military or dual-use technology.