The name said it all: DroneEXEHijackingLoader.dll.
That internal file name, buried in malicious code delivered to three European defense contractors, revealed what security researchers now believe represents North Korea’s latest espionage campaign aimed at stealing drone technology as Pyongyang races to modernize its UAV arsenal.
The attacks, attributed to the notorious Lazarus APT group, targeted companies manufacturing unmanned aerial vehicle components and software between March and August 2025, according to ESET Research.
The timing proves significant. North Korean soldiers deployed to Russia during this period to support Moscow’s war effort in Kursk, exposing Pyongyang’s military to modern drone warfare firsthand. Intelligence analysts assess this battlefield experience likely reinforced North Korea’s determination to accelerate its domestic UAV production capabilities.
Lazarus executed the intrusions through Operation DreamJob, a long-running social engineering campaign that dangles fake job offers at aerospace and defense sector employees. Targets received trojanized PDF readers alongside fabricated job descriptions, delivering malware disguised as legitimate hiring materials.
Also read: Operation Dream Job Continues, Uses Trojanized PuTTY SSH Client
The attackers compromised a metal engineering firm in southeastern Europe, an aircraft component manufacturer in central Europe, and a defense company also in central Europe. At least two victims maintain direct involvement in UAV technology development, with one producing critical drone components currently deployed in Ukraine.
Technical Evolution Maintains Effectiveness
The campaign deployed ScoringMathTea, a remote access trojan that grants attackers complete system control and has served as Lazarus’s payload of choice for three years. This RAT supports approximately 40 commands enabling file manipulation, process management, system reconnaissance, and data exfiltration through encrypted channels.
Lazarus embedded its malicious code within trojanized open-source projects pulled from GitHub, including TightVNC Viewer, MuPDF reader, DirectX Wrappers, and plugins for Notepad++ and WinMerge. This technique provides enough variation to evade signature-based detection while maintaining operational consistency.
The group leveraged DLL side-loading, a technique where legitimate executables load malicious dynamic link libraries placed in unexpected system locations. The malware never appears unencrypted on disk, using AES-128 or ChaCha20 algorithms for obfuscation.
Reverse Engineering Through Cyberespionage
North Korea’s current flagship reconnaissance drone, the Saetbyol-4, appears nearly identical to Northrop Grumman’s RQ-4 Global Hawk. Its multipurpose combat drone, the Saetbyol-9, replicates the design of General Atomics’ MQ-9 Reaper. Even the numerical designations mirror their American counterparts.
This copying extends beyond visual mimicry. Multiple campaigns affecting aerospace companies, including UAV technology specifically, have been attributed to North Korean APT groups in recent years. U.S. authorities formally linked several Lazarus-related groups to North Korean intelligence services.
Russia now reportedly assists North Korea in producing knockoff versions of Iranian-made Shahed suicide drones. Pyongyang also develops low-cost attack UAVs potentially destined for African and Middle Eastern export markets. Recent construction activity near North Korean aircraft factories suggests preparation for mass UAV production.
Persistent Methods Despite Public Exposure
Despite widespread media coverage of Operation DreamJob tactics, employee awareness in sensitive sectors remains insufficient to counter these social engineering approaches. The campaign’s success rate indicates security training programs fail to adequately prepare personnel for sophisticated recruitment-themed attacks.
Also read: LinkedIn Job Scams Are the Latest Cyber Threat – Don’t Fall for Fake Recruiters
ESET researchers identified ScoringMathTea in previous attacks against companies in India, Poland, the United Kingdom, and Italy since January 2023. The RAT first appeared in VirusTotal submissions from Portugal and Germany in October 2022, disguised as Airbus-themed job offers.
Command and control infrastructure relies on compromised WordPress installations, with malicious server-side code typically stored within template or plugin directories. The attackers rotate through various hosting providers across multiple countries.
Security researchers attribute this activity to Lazarus with high confidence based on social engineering techniques, GitHub project trojanization methods, ScoringMathTea deployment, and targeting patterns consistent with previous Operation DreamJob campaigns. Organizations active in UAV development should anticipate continued targeting as North Korea pursues indigenous drone capabilities through cyber-enabled industrial espionage.
