Full Report
North Korean Lazarus hackers compromised three European companies in the defense sector through a coordinated Operation DreamJob campaign leveraging fake recruitment lures. [...]
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
Attributed to North Korea (DPRK). Associated with the long-running **Operation DreamJob** campaign.
## Activity Summary
Lazarus hackers targeted three European defense sector companies via a coordinated **Operation DreamJob** campaign detected in late March. The campaign focused on organizations involved in the development of Unmanned Aerial Vehicle (UAV) technology, aligning with North Korea's efforts to build its drone arsenal. The threat actor successfully compromised companies manufacturing critical drone components and those involved in UAV-related software development, whose military equipment is currently deployed in Ukraine.
## Tactics, Techniques & Procedures
- **Initial Access/Execution:** Used fake recruitment lures (social engineering) under Operation DreamJob, posing as recruiters for high-profile roles.
- **Delivery:** Targets were tricked into launching trojanized open-source applications or plugins (e.g., MuPDF viewer, Notepad++, WinMerge plugins, TightVNC Viewer, libpcre, and DirectX wrappers).
- **Defense Evasion/Execution:** Employed **DLL Sideloading** to use legitimate but vulnerable software to load the malicious payload.
- **Execution:** The payload was decrypted and loaded directly into memory using **MemoryModule-style routines**.
- **Command and Control (C2):** Established communication using the **ScoringMathTea RAT**.
- **Alternative C2/Delivery:** An alternative chain used a malware loader named **BinMergeLoader (MISTPEN)** which abused the **Microsoft Graph API and tokens** to retrieve additional payloads.
## Targeting
- Sectors: Defense, Aerospace (specifically companies involved in UAV technology development), metal engineering.
- Geography: Southeastern Europe and Central Europe.
- Victims: A metal engineering firm, an aircraft parts maker, and a defense company, all supplying military equipment used in Ukraine.
## Tools & Infrastructure
- Malware families used:
- **ScoringMathTea RAT** (Remote Access Trojan, documented since 2023).
- **BinMergeLoader (MISTPEN)** (Malware loader).
- Infrastructure: Command-and-control domains and malicious tools specified in the ESET Indicators of Compromise (IoCs) repository (details omitted here as per instruction, IoCs available via ESET/GitHub repository).
## Implications
Lazarus Group remains persistent in leveraging well-known social engineering campaigns like Operation DreamJob, indicating that these tactics effectively bypass existing security awareness programs targeting employees in sensitive sectors. The focus on UAV technology demonstrates a strategic alignment with North Korea's national security and military objectives (drone arsenal development).
## Mitigations
- Enhance security awareness training focusing specifically on sophisticated spear-phishing and job-offer-themed social engineering lures (Operation DreamJob).
- Implement strong application allow-listing and monitoring for suspicious process injection or DLL sideloading activity occurring when launching legitimate productivity software.
- Monitor for command and control communications utilizing non-traditional methods, such as abuse of Microsoft Graph API tokens.
- Ensure prompt patching and monitoring of known vulnerabilities in commonly used open-source applications and plugins that may be susceptible to DLL sideloading.