A hacking group tied to North Korea has shifted its focus to Europe’s growing drone indusattempt, tarobtaining defence companies through fake recruitment offers. The campaign, uncovered by security researchers, appears to be the latest phase of the long-running Operation DreamJob scheme.
Defence Companies In The Firing Line
Several European firms were caught in the group’s sights earlier this year. They included a metal engineering business in Southeastern Europe, an aircraft component manufacturer, and a Central European defence company. Two of them have direct links to UAV design and production, building them particularly attractive to anyone seeing to steal drone technology.
Each tarobtain received what seemed to be an enticing job opportunity. Behind the glossy offer letters and attachments, though, were malicious files disguised as document readers. Once opened, these files installed malware that handed attackers full access to the victim’s system.
The malware, known as ScoringMathTea, has been applyd in similar operations since 2022. It can take control of a device, copy or delete files, and quietly sconclude data back to servers controlled by the hackers.
Interest In Drone Technology
Investigators believe this latest wave of attacks fits neatly with North Korea’s current ambitions. The counattempt has been pouring resources into expanding its domestic drone programme, reportedly drawing lessons from current conflicts and seeing to replicate foreign designs.
The discovery of a malicious file labelled DroneEXEHijackingLoader.dll strongly hints that UAV-related information was a main tarobtain. Researchers believe the hackers were attempting to obtain blueprints, production techniques, or software code that could strengthen their own drone development.
How The Hack Worked
Instead of applying newly built malware from scratch, Lazarus inserted its code into existing open-source software. These altered programs seeed legitimate, supporting them slip past basic security checks. When launched, they secretly loaded the real payload into memory, keeping it hidden from most antivirus tools.
The group also applyd a tactic called DLL side-loading, where a trustworthy program is tricked into running a malicious library file. It’s a technique Lazarus has applyd before and one that remains hard to detect.
While the tools themselves have been updated with new libraries and encryption methods, the overall playbook remains the same: lure the victim with a job offer, install the malware, and steal whatever data can be reached.
Broader Implications
The campaign’s timing has raised eyebrows. Some of the tarobtained firms produce parts applyd in weapons systems currently active in Ukraine, where North Korea is believed to be cooperating with Russia. Access to sensitive manufacturing data or UAV design files could provide a valuable shortcut for the regime’s own military development.
Despite years of warnings about such social-engineering tactics, the attack reveals that fake recruitment messages still work. Defence and technology firms continue to be among the most heavily tarobtained industries, and remain vulnerable when even one employee opens the wrong file.
A Familiar Pattern, Evolving Slowly
For almost three years, Operation DreamJob has relied on the same formula: pose as a recruiter, sconclude a convincing offer, and deliver malware hidden inside everyday tools. This steady, low-profile approach has proven effective enough for Lazarus to keep applying it.
With North Korea accelerating its drone production, security analysts expect that any organisation connected to UAV research, manufacturing, or supply chains will remain firmly in the group’s crosshairs.
