Menace actors with ties to North Korea have been attributed to a brand new wave of assaults focusing on European firms lively within the protection trade as a part of a long-running marketing campaign generally known as Operation Dream Job.
“A few of these [companies] are closely concerned within the unmanned aerial automobile (UAV) sector, suggesting that the operation could also be linked to North Korea’s present efforts to scale up its drone program,” ESET safety researchers Peter Kálnai and Alexis Rapin said in a report shared with The Hacker Information.
It is assessed that the tip objective of the marketing campaign is to plunder proprietary data and manufacturing know-how utilizing malware households akin to ScoringMathTea and MISTPEN. The Slovak cybersecurity firm stated it noticed the marketing campaign beginning in late March 2025.
A few of the focused entities embrace a steel engineering firm in Southeastern Europe, a producer of plane parts in Central Europe, and a protection firm in Central Europe.
Whereas ScoringMathTea (aka ForestTiger) was beforehand noticed by ESET in early 2023 in reference to cyber assaults focusing on an Indian know-how firm and a protection contractor in Poland, MISTPEN was documented by Google Mandiant in September 2024 as a part of intrusions aimed toward firms within the power and aerospace verticals. The primary look of ScoringMathTea dates again to October 2022.
Operation Dream Job, first uncovered by Israeli cybersecurity firm ClearSky in 2020, is a persistent assault marketing campaign mounted by a prolific North Korean hacking group dubbed Lazarus Group, which can be tracked as APT-Q-1, Black Artemis, Diamond Sleet (previously Zinc), Hidden Cobra, TEMP.Hermit, and UNC2970. The hacking group is believed to be operational since at the least 2009.
In these assaults, the risk actors leverage social engineering lures akin to Contagious Interview to strategy potential targets with profitable job alternatives and trick them into infecting their methods with malware. The marketing campaign additionally displays overlaps with clusters tracked as DeathNote, NukeSped, Operation In(ter)ception, and Operation North Star.
“The dominant theme is a profitable however fake job provide with a aspect of malware: the goal receives a decoy doc with a job description and a trojanized PDF reader to open it,” ESET researchers stated.
The assault chain results in the execution of a binary, which is chargeable for sideloading a malicious DLL that drops ScoringMathTea in addition to a classy downloader codenamed BinMergeLoader, which features equally to MISTPEN and makes use of Microsoft Graph API and tokens to fetch extra payloads.
Alternate an infection sequences have been discovered to leverage an unknown dropper to ship two interim payloads, the primary of which masses the latter, finally ensuing within the deployment of ScoringMathTea, a complicated RAT that helps round 40 instructions to take full management over the compromised machines.
“For almost three years, Lazarus has maintained a constant modus operandi, deploying its most popular essential payload, ScoringMathTea, and utilizing related strategies to trojanize open-source purposes,” ESET stated. “This predictable, but efficient, technique delivers enough polymorphism to evade safety detection, even whether it is inadequate to masks the group’s identification and obscure the attribution course of.”
