The notorious North Korea-aligned advanced persistent threat (APT) group, Lazarus, also known as Hidden Cobra, launched a renewed phase of its long-running Operation DreamJob campaign starting in March 2025. This sophisticated espionage effort successfully compromised three European defense firms, including a metal engineering company, an aircraft parts manufacturer, and a defense contractor. The attackers specialize in social engineering, luring victims with attractive, but ultimately fake, recruitment opportunities for high-profile positions, using malicious documents to gain initial access to the targets’ secure networks.
The primary target of this recent activity was companies involved in Unmanned Aerial Vehicle (UAV) technology, a focus that cybersecurity researchers believe reflects a strategic alignment with North Korea’s national objectives. Pyongyang is actively working to expand its drone capabilities, often by reverse-engineering Western designs—such as the US-made Saetbyol-4 and Saetbyol-9 models. Given that the targeted European firms produce equipment currently used in the conflict in Ukraine, the hackers likely intended to steal sensitive intellectual property and manufacturing know-how related to these crucial Western defense systems.
Lazarus gained a foothold in the networks through a classic social engineering technique: the distribution of fake job offers disguised as PDFs. Opening these documents executed trojanized software components, which deployed a multi-stage toolset. This chain of attack included various custom loaders and droppers, such as trojanized versions of MuPDF and TightVNC, designed to evade detection. The ultimate goal of the initial intrusion was to deliver the main payload, the powerful ScoringMathTea Remote Access Trojan (RAT), which grants the threat actors full remote control over the compromised systems.
The Lazarus Group itself has been active since at least 2009 and is one of the world’s most notorious state-sponsored hacking organizations, responsible for high-profile cyberattacks like the Sony Pictures breach, the WannaCry ransomware outbreak, and major global cryptocurrency heists. Unlike many other state actors, Lazarus is known for both espionage and financial theft, using its cybercrime operations to fund the heavily sanctioned North Korean regime. The consistent use of the “fake recruiter” tactic has been a hallmark of Operation DreamJob since it was first identified around 2020.
In the 2025 iteration of the campaign, researchers observed the Lazarus group refining its attack methodology by structuring its tools into two distinct tiers: early-stage droppers/loaders and the main ScoringMathTea payload. This layered approach, which leverages components like the QuanPinLoader and BinMergeLoader to decrypt and load final payloads in memory, underscores the group’s persistent dedication to improving its stealth and capabilities. Organizations in the defense and aerospace sectors are continually advised to be on high alert for these highly targeted and persistent fake recruitment schemes.
Reference:
