North Korean state-sponsored hackers from the Lazarus APT group launched a cyberespionage campaign targeting European companies involved in unmanned aerial vehicle development.
Starting in late March 2025, attackers compromised three defense organizations across Central and Southeastern Europe, deploying advanced malware to steal proprietary UAV technology.
The campaign, tracked as Operation DreamJob, employed social engineering using fraudulent job offers to gain initial access.
The attacks focused on companies manufacturing drone components and developing UAV software, aligning with North Korea’s efforts to expand its drone program.
Researchers discovered compromised systems contained malicious droppers with the internal DLL name DroneEXEHijackingLoader.dll, providing evidence of the campaign’s focus on drone technology theft.
Targets received fake job descriptions with trojanized PDF readers that initiated multi-stage infection processes.
Welivesecurity analysts identified the main payload as ScoringMathTea, a sophisticated remote access trojan serving as Lazarus’s flagship malware since late 2022.
The RAT provides comprehensive control over compromised machines through approximately 40 commands, enabling file manipulation, process control, and data exfiltration.
ScoringMathTea maintains communication with command-and-control infrastructure through compromised servers hosted within WordPress directories.
The malware’s C&C traffic employs multiple encryption layers, utilizing the IDEA algorithm followed by base64 encoding.
.webp "North Korean Hackers Attacking Unmanned Aerial Vehicle Industry to Steal Confidential Data 3")
Network analysis revealed connections to compromised domains including coralsunmarine[.]com, mnmathleague[.]org, and spaincaramoon[.]com.
Advanced Infection Mechanism and Evasion Tactics
The Lazarus group demonstrated technical sophistication by incorporating malicious loading routines into legitimate open-source projects from GitHub.
Attackers trojanized software including TightVNC Viewer, MuPDF reader, and plugins for WinMerge and Notepad++.
This provides dual advantages: the malware inherits legitimate appearance of trusted applications while executing malicious payloads.
The infection chain employs DLL side-loading and proxying techniques. Legitimate executables such as wksprt.exe and wkspbroker.exe side-load malicious libraries like webservices.dll and radcui.dll.
These compromised DLLs contain two export sets: functions for proxying to preserve application behavior, and malicious code loading subsequent stages.
The malware employs robust encryption throughout the infection lifecycle. Early-stage droppers retrieve encrypted payloads from file system or registry, decrypt them using AES-128 or ChaCha20 algorithms, then load them into memory.
This leverages the MemoryModule library for reflective DLL injection, allowing code execution entirely in-memory without writing decrypted components to disk.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
