ESET researchers have uncovered a fresh wave of Operation DreamJob, a long-running campaign linked to North Korea’s Lazarus Group. This latest activity targeted several European defense contractors, including firms deeply involved in drone and UAV development, which may point to a connection with Pyongyang’s push to expand its drone capabilities.
According to ESET, the attackers went after three defense companies in Central and Southeastern Europe, likely gaining initial access through carefully crafted social engineering lures. Once inside, they deployed a remote-access trojan (RAT) known as ScoringMathTea, which gives the attackers control of the infected systems. The researchers believe the main goal was to steal proprietary data and sensitive manufacturing know-how.
Luring victims with fake dream jobs
In the latest Operation DreamJob campaign, attackers once again leaned on their signature trick: the promise of a dream job that doesn’t exist. Victims receive what looks like a legitimate job offer, complete with a detailed description and a PDF reader to view it, except that “reader” is actually laced with malware.
According to ESET Research, this operation bears all the hallmarks of Lazarus, the North Korea–aligned group long known for using fake recruitment schemes to compromise targets in the aerospace, defense, and engineering sectors.
A focus on Europe’s defense industry
The three companies hit in this wave manufacture various types of military equipment and components, many of which are now being used in Ukraine as part of Europe’s ongoing military support.
When this activity took place, North Korean troops were reportedly stationed in Russia, assisting Moscow’s defense efforts in the Kursk region. That timing raises the possibility that Operation DreamJob was an intelligence-gathering mission aimed at Western-made weapons systems currently deployed in the war.
The drone connection
More broadly, the targeted firms produce equipment types that North Korea also manufactures domestically, suggesting Pyongyang could be looking to improve its own designs through stolen know-how. The interest in UAV technology stands out, echoing recent reports that North Korea is pouring resources into building its own drone industry, often by reverse-engineering foreign systems and stealing intellectual property to accelerate development.
“We believe that it is likely that Operation DreamJob was – at least partially – aimed at stealing proprietary information, and manufacturing know-how, regarding UAVs. The drone mention observed in one of the droppers significantly reinforces this hypothesis,” says ESET researcher Peter Kálnai, who discovered and analyzed these latest Lazarus attacks. “We have found evidence that one of the targeted entities is involved in the production of at least two UAV models that are currently employed in Ukraine, and which North Korea may have encountered on the front line. This entity is also involved in the supply chain of advanced single-rotor drones, a type of aircraft that Pyongyang is actively developing,” adds Alexis Rapin, ESET cyberthreat analyst.
ScoringMathTea: Lazarus’s go-to malware
Lazarus attackers regularly deploy custom backdoors against multiple targets, which means their tools often get exposed and detected over time. To counter this, the group layers its attack chain with droppers, loaders, and lightweight downloaders before the main payload executes. In a clever twist, the attackers have even embedded their malicious code into legitimate open-source projects found on GitHub.
Examples of 2025 Operation DreamJob execution chains delivering ScoringMathTea
The centerpiece of this campaign is ScoringMathTea, a RAT capable of executing about 40 different commands. It first appeared in October 2022 in samples uploaded from Portugal and Germany, disguised as an Airbus-themed job offer. The malware can manipulate files and processes, change configurations, collect system information, open TCP connections, and execute commands or new payloads from its command-and-control server.
According to ESET telemetry, ScoringMathTea has been used in attacks against an Indian technology company in January 2023, a Polish defense firm in March 2023, a British industrial automation company in October 2023, and most recently, an Italian aerospace company in September 2025. It has become one of the flagship payloads of the Operation DreamJob campaigns.
One of the most notable developments in this latest wave of attacks is Lazarus’s use of new libraries for DLL proxying and its selection of fresh open-source projects to compromise, improving its ability to evade detection. “For nearly three years, Lazarus has maintained a consistent modus operandi, deploying its preferred payload, ScoringMathTea, and using similar methods to trojanize open-source applications. This predictable yet effective approach delivers enough variation to slip past many defenses, even if it cannot fully hide the group’s identity or erase attribution,” said Kálnai.
