North Korea’s Lazarus threat group attacked three Europe-based companies with active operations in the defense sector last spring to potentially steal sensitive data about drone components and software, ESET researchers said in a report released Thursday.
The attacks initiated by North Korea’s long-running advanced persistent threat group, which specializes in espionage, sabotage and financial gain, targeted a metal engineering company, an aircraft component manufacturer and a defense company in late March.
The objectives sought by Lazarus are unverified, but researchers identified multiple potential benefits for North Korea, including information on materials manufacturing and drone development.
ESET noted that the attacks targeted companies that supply military equipment, some of which is currently deployed in Ukraine, during a period when North Korean soldiers were deployed in Russia. One of the targeted companies is involved in the production of at least two unmanned aerial vehicles currently used in Ukraine, which North Korea may have encountered on the frontline, the report said.
The targeted companies also have specialized information that could bolster North Korea’s drone manufacturing program, including advanced single-rotor drones that Pyongyang is actively developing, according to ESET.
“We believe that it is likely that Operation DreamJob was — at least partially — aimed at stealing proprietary information and manufacturing know-how regarding UAVs,” researchers said in the report.
ESET attributed the attacks to Lazarus group’s Operation DreamJob campaign, which involves fake job offers for lucrative, high-profile jobs as a social engineering lure resulting in initial access on targeted networks.
Lazarus sent targets a decoy document containing a job description and a trojanized PDF reader to open the file. ScoringMathTea, the primary remote access trojan deployed in these attacks, allowed attackers to gain complete control of the compromised machine, researchers said.
ESET said it previously observed ScoringMathTea, Lazarus’ preferred payload since 2022, in similar attacks against an India-based technology company, a Poland-based defense company, an industrial automation company in the United Kingdom and an aerospace company in Italy.
“This predictable, yet effective, strategy delivers sufficient polymorphism to evade security detection, even if it is insufficient to mask the group’s identity and obscure the attribution process,” researchers said in the report.
The malware droppers observed in these attacks all contained a dynamic-link library file named “DroneEXEHijackingloader.dll,” which ESET viewed as further evidence of the attackers’ focus on drone technology.
ESET published binaries and indicators of compromise it observed while investigating these attacks. Researchers warned that other organizations in the drone sector may also be targeted by North Korean attackers.
