- Lazarus Group used fake job offers to infect drone companies in southeastern Europe with malware
- The attackers stole proprietary data from the UAV and implemented a RAT for full control of the system.
- Guided drones are used in Ukraine; North Korea is developing similar aircraft.
North Korea’s infamous state-sponsored threat actors Lazarus Group have been targeting Southeast European defense companies with their Operation DreamJob scams.
ESET security researchers say the goal of the attacks was to steal knowledge and other proprietary information about unmanned aerial vehicles (UAVs) and drones.
Lazarus is known for his work supporting North Korea’s weapons development program. This is usually done by attacking crypto companies, stealing money, and then using it to fund research and development. In this case the operation is somewhat different, but the objective is the same.
ScoreMathematicsTea
Operation DreamJob is Lazarus’ signature move. The group would create fake companies, fake people, and fake jobs, and then reach out to their targets, offering lucrative positions.
People who take the bait are often invited to multiple rounds of “job interviews” and tests, where they are asked to download PDFs, programs, apps, and code.
However, instead of completing any “test,” victims would simply download malware.
ESET says the attacks took place around the same time that North Korean soldiers were in Russia, helping the Russian military in the Kursk region, i.e. in late 2024. At least three companies were breached and information on how to build drones was stolen.
The researchers explained that North Korea is building its own drones and that many of the materials used in Eastern European drones are also used in North Korea. They also explained that many of the drones designed in Eastern Europe are being used in the Ukrainian war, so they were of special interest to Lazarus.
After breaching their targets, the attackers would deploy ScoringMathTea, a Remote Access Trojan (RAT) that grants full control over the compromised machine.
“We believe that it is likely that Operation DreamJob was aimed, at least partially, at stealing proprietary information and manufacturing know-how related to UAVs. The mention of the drone observed in one of the droppers significantly reinforces this hypothesis,” says ESET researcher Peter Kálnai, who discovered and analyzed these latest Lazarus attacks.
“We have found evidence that one of the targeted entities is involved in the production of at least two models of unmanned aerial vehicles currently used in Ukraine and that North Korea may have encountered on the front lines. This entity is also involved in the supply chain of advanced single-rotor drones, a type of aircraft that Pyongyang is actively developing,” adds Alexis Rapin, ESET cyber threat analyst.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
The best antivirus for all budgets
