In August 2025, a sophisticated cyber attack targeted an Asian subsidiary of a large European manufacturing organization through a deceptive job offer scheme.
The intrusion campaign, identified as Operation DreamJob, demonstrates how threat actors continue to refine social engineering techniques to compromise high-value targets within the manufacturing sector.
This attack specifically exploited WhatsApp Web messaging to deliver malicious payloads disguised as legitimate employment opportunities.
The attack began when a project engineer received a targeted WhatsApp Web message containing what appeared to be a job-related document.
The message encouraged the recipient to download and extract a ZIP archive, which contained three components: a malicious PDF file, a legitimate open-source document viewer called SumatraPDF.exe, and a malicious DLL file named libmupdf.dll.
This combination weaponized a trusted application through DLL sideloading, where the legitimate executable unknowingly loaded the malicious library.
Orange Cyberdefense security analysts investigated the incident and attributed the attack with medium confidence to the North Korean UNC2970 threat cluster.
Their analysis revealed that the intrusion leveraged sophisticated malware variants, specifically BURNBOOK and MISTPEN, alongside compromised SharePoint and WordPress infrastructure for command and control operations.
The threat actors maintained persistent access for at least six consecutive hours, conducting hands-on keyboard activities throughout the compromise.
When the victim opened the PDF document, the SumatraPDF executable sideloaded the malicious libmupdf.dll file, which researchers confirmed as a recent BURNBOOK loader variant.
This backdoor enabled the attackers to establish initial access and begin reconnaissance activities within the network.
Advanced Persistence and Lateral Movement Mechanisms
Following successful infiltration, the threat actors deployed multiple techniques to expand their foothold across the manufacturing network.
.webp "Operation DreamJob Attacking Manufacturing Industries Using Job-related WhatsApp Web Message 3")
The attackers performed extensive LDAP queries against Active Directory to enumerate users and computers within the domain, gathering intelligence for lateral movement operations.
They subsequently compromised both backup and administrative accounts using pass-the-hash techniques, which allowed authentication without requiring plaintext passwords.
This method involved extracting NTLM password hashes and reusing them for network authentication. The attackers then deployed an additional payload called TSVIPsrv.dll, identified as a MISTPEN backdoor variant.
This malware decrypted and executed wordpad.dll.mui directly in memory, establishing connections to compromised SharePoint servers for command and control communications.
The final stage involved deploying Release_PvPlugin_x64.dll, which functioned as an information-stealing module designed to exfiltrate sensitive data from infected systems.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
