- The Lazarus Group used fake job offers to infect Southeast European drone companies with malware
- Attackers stole proprietary UAV data and deployed a RAT for full system control
- Targeted drones are used in Ukraine; North Korea is developing similar aircraft
Notorious North Korean state-sponsored threat actors, the Lazarus Group, have targeted Southeast European defense firms with their Operation DreamJob scam.
Security researchers at ESET claim that the goal of the attacks was to steal know-how and other proprietary information about unmanned aerial vehicles (UAV) and drones.
Lazarus is known for his work supporting North Korea’s weapons development program. This is usually done by attacking crypto companies, stealing money and then using it to fund research and development. In this case, the operation is somewhat different, but the goal is the same.
ScoringMathTea
Operation DreamJob is Lazarus’ signature feature. The group would create fake companies, fake personalities and fake jobs and then reach out to their targets and offer lucrative positions.
People who take the bait are usually invited to several rounds of “job interviews” and trials where they are asked to download PDFs, programs, apps and code.
But instead of actually completing any “experiments,” victims would simply download malware.
ESET says the attacks took place around the same time that North Korean soldiers were in Russia helping the Russian army in the Kursk region, which was in late 2024. At least three businesses were breached and information on how to build drones was stolen.
The researchers explained that North Korea builds its own drones and that many of the materials used in Eastern European drones are also used in North Korea. They also explained that many of the drones designed in Eastern Europe are being used in the Ukrainian war, which is why they were of particular interest to Lazarus.
After breaching their target, the attackers would deploy ScoringMathTea, a remote access trojan (RAT) that provides full control over the compromised machine.
“We believe it is likely that Operation DreamJob – at least in part – was aimed at stealing proprietary information and manufacturing know-how regarding UAVs. The drone talk observed in one of the drops significantly reinforces this hypothesis,” says ESET researcher Peter Kálnai, who discovered and analyzed these latest Lazarus attacks.
“We have found evidence that one of the targeted entities is involved in the production of at least two UAV models currently employed in Ukraine, which North Korea may have encountered on the front lines. This entity is also involved in the supply chain of advanced single-rotor drones, a type of aircraft that Pyongyang is actively developing,” adds Alexcy Rapinberthreat analyst, ESET.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
The best antivirus for all budgets
