- The Lazarus Group used fake job offers to infect Southeast European drone companies with malware.
- The attackers stole the drone’s proprietary data and deployed a RAT for full control of the system.
- Targeted drones are used in Ukraine; North Korea develops similar planes
The infamous North Korean state-sponsored Lazarus Group targets defense companies in Southeast Europe with its Operation DreamJob scams.
ESET security researchers say the aim of the attacks was to steal know-how and other proprietary information about unmanned aerial vehicles (UAVs) and drones.
Lazarus is known for his work supporting North Korea’s weapons development program. This is usually done by attacking crypto companies, stealing money, and then using it to fund research and development. In this case, the operation is somewhat different, but the goal is the same.
NotationMathTea
Operation DreamJob is Lazarus’ signature. The group would create fake companies, fake personas and fake jobs, then cater to their targets with lucrative positions.
People who take the bait are usually invited to several rounds of “job interviews” and trials, during which they are asked to upload PDFs, programs, applications and code.
However, instead of actually performing “testing”, victims would simply download malware.
ESET says the attacks took place around the same time North Korean soldiers were in Russia helping the Russian military in the Kursk region, which was in late 2024. At least three companies were hacked and information on how to build drones was stolen.
The researchers explained that North Korea builds its own drones and that many of the materials used in Eastern European drones are also used in North Korea. They also explained that many drones designed in Eastern Europe are used in the war in Ukraine, which is why they are of particular interest to Lazarus.
After breaching their targets, attackers would deploy ScoringMathTea, a remote access Trojan (RAT) that grants full control over the compromised machine.
“We believe it is likely that Operation DreamJob was aimed – at least in part – at stealing proprietary information and manufacturing know-how regarding drones. The mention of drone observed in one of the droppers significantly reinforces this hypothesis,” says ESET researcher Peter Kálnai, who discovered and analyzed these latest Lazarus attacks.
“We found evidence that one of the targeted entities is involved in the production of at least two models of drones currently used in Ukraine, and which North Korea may have encountered on the front lines. This entity is also involved in the supply chain of advanced single-rotor drones, a type of aircraft that Pyongyang is actively developing,” adds Alexis Rapin, ESET cyber threat analyst.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
The best antivirus for every budget
