North Korean Lazarus Hackers Target European Defense Firms

European defense companies specializing in unmanned aerial vehicle (UAV) technology have become the latest targets of North Korea’s notorious Lazarus hacking group. In a campaign security researchers have named Operation DreamJob, the state-sponsored actors compromised three separate firms through deceptive recruitment offers. The activity, detected in late March, demonstrates a strategic focus on military drone development at a time when North Korea is actively expanding its own drone capabilities.

This long-running operation sees Lazarus operatives impersonate recruiters from well-known corporations, whether real or fabricated. They approach employees at targeted organizations with enticing job opportunities for high-level positions. Once the targets take the bait, they are manipulated into downloading files that appear legitimate but actually contain malware, granting the hackers a foothold inside the company’s network.

While this method has previously been deployed against cryptocurrency platforms, software developers, and aerospace entities, the current wave zeroes in on UAV technology. Cybersecurity firm ESET notes this aligns with geopolitical trends, coinciding with North Korea’s intensified efforts to build a drone arsenal reportedly modeled after Western designs.

The campaign specifically singled out manufacturers of critical drone components. According to ESET’s findings, the attacks successively hit a metal engineering company in Southeastern Europe, an aircraft parts producer, and a defense contractor in Central Europe. All three supply military equipment currently deployed in Ukraine as part of international aid packages. Two of the firms play direct roles in UAV advancement, one produces essential drone hardware, while the other develops specialized software for unmanned systems. ESET has not disclosed whether the intrusions were ultimately successful.

Investigating the infection process, researchers uncovered that it begins when a victim launches a trojanized open-source application or plugin. Commonly abused programs include the MuPDF viewer, Notepad++, WinMerge plugins, TightVNC Viewer, libpcre, and various DirectX wrappers. The attackers then employ a technique called DLL sideloading, exploiting vulnerabilities in legitimate software to load a malicious DLL or malware dropper without raising suspicion.

Subsequently, the payload is decrypted and injected directly into memory using MemoryModule-style routines. The final stage deploys the ScoringMathTea RAT (Remote Access Trojan), which connects to a command-and-control server and awaits instructions from the attackers. In some cases, an alternative loader known as BinMergeLoader (MISTPEN) is used instead; this tool abuses the Microsoft Graph API and authentication tokens to fetch additional malicious payloads.

The ScoringMathTea RAT, first identified in 2023, now supports approximately 40 distinct commands in its most recent iteration. This grants Lazarus operators extensive control over compromised systems, enabling activities from command execution and file manipulation to deploying further malware. The RAT’s capabilities include managing files and processes, exchanging configuration data, gathering system information, establishing TCP connections, and running commands or new payloads retrieved from the C2 server.

Despite repeated public disclosures about Operation DreamJob’s tactics and social engineering approaches, the campaign remains a consistently effective tool for North Korean threat actors. ESET has released a comprehensive set of indicators of compromise, including domains and malicious tools associated with this latest series of attacks against European defense sector organizations.

(Source: Bleeping Computer)