How Lazarus Group lured European defense engineers with fake job offers, hijacked legitimate software, and stealthily stole critical drone manufacturing secrets to fuel North Korea's military ambitions

Continue reading
In a stunning revelation that blurs the line between cybercrime and international espionage, security researchers have uncovered a sprawling North Korean hacking campaign targeting the heart of Europe's defense industry. The mission: steal critical drone technology by offering engineers the one thing they couldn't resist—a perfect career opportunity.
The operation, dubbed "Operation DreamJob" by analysts at ESET who discovered it, relied not on a complex digital break-in, but on a timeless con: social engineering. Attackers from the infamous Lazarus Group meticulously posed as recruiters from legitimate, well-known aerospace and defense companies.
They sent highly targeted spear-phishing emails to key engineers and technical staff, containing compelling job descriptions. The catch was a malicious file, often disguised as a necessary "PDF reader" or document viewer required to see the full offer. With a single click from an unsuspecting target, the digital heist began.
Once executed, the attack unfolded with chilling precision. The initial file employed a sophisticated technique known as "DLL side-loading," which essentially tricks a trusted, legitimate application into secretly loading malicious code. This allows the hackers to bypass standard security defenses completely undetected.
In a brazen move to appear legitimate, the hackers weaponized trust itself. They hijacked popular open-source software like Notepad++ and WinMerge, embedding their malicious payloads into these benign, everyday tools. They then distributed these trojanized versions through platforms like GitHub, creating a perfect illusion of authenticity for anyone who downloaded them.
The ultimate goal of this multi-stage infiltration was to deploy a powerful, custom-built Remote Access Trojan (RAT) known as "ScoringMathTea." This sophisticated malware provides the attackers with complete, remote control over the compromised computer.
From there, Lazarus operatives could move silently through corporate networks for months, identifying and exfiltrating priceless intellectual property: design schematics, proprietary manufacturing processes, and technical know-how directly related to unmanned aerial vehicle (UAV) technology. The intelligence gain for North Korea's military drone program is immeasurable, allowing them to leapfrog years of costly and complex research and development.
Operation DreamJob is more than a cyberattack; it's a clear signal of how state-sponsored espionage has evolved. By targeting the foundational knowledge of military technology, North Korea is directly augmenting its military capabilities through theft.
The campaign serves as a critical warning for defense contractors and technology firms worldwide: the human firewall is the first and most important line of defense. Vigilance against sophisticated social engineering, rigorous verification of software sources, and advanced threat-hunting for these specific stealth techniques are no longer optional—they are essential to safeguarding national security in the digital age.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation