Cybersecurity researchers have uncovered a new wave of cyber-attacks aimed at European defense contractors involved in drone development. The campaign, attributed to the North Korea-linked Lazarus Group, represents the latest stage of Operation DreamJob, a long-running espionage effort focused on stealing sensitive military and aerospace technologies.
Refined Espionage Tactics
Detected in March 2025 by ESET, the operation targeted three companies across Europe — a metal engineering firm, an aircraft components manufacturer, and a defense contractor.
Using its trademark social-engineering strategy, Lazarus lured employees with fake job offers, tricking them into opening maliciously modified PDF readers that secretly installed malware.
ESET’s analysis identified a remote access Trojan (RAT) dubbed ScoringMathTea, which grants attackers complete control over infected systems. The malware was distributed via layered droppers and loaders disguised as legitimate software, including tampered open-source projects from GitHub.
Focus on Drone Technology
One malicious file, named DroneEXEHijackingLoader.dll, pointed to a deliberate interest in unmanned aerial vehicle (UAV) data. Two of the compromised organizations specialize in drone hardware and software development — a field North Korea is known to be rapidly advancing.
The campaign’s timing coincides with reports of North Korean military involvement in Russian operations in Ukraine, suggesting that the attackers may be seeking intelligence on Western drone technologies used in the conflict.
ESET believes the stolen data could aid Pyongyang’s efforts to enhance its drone capabilities, many of which already show striking resemblances to U.S. models such as the RQ-4 Global Hawk and MQ-9 Reaper.
Evolving Tools and Techniques
Lazarus Group continues to refine its tactics in 2025, incorporating new components into its arsenal, including:
- Trojanized open-source tools such as TightVNC Viewer and MuPDF
- Custom loaders and downloaders crafted from DirectX Wrappers and Notepad++ plugins
- Continued deployment of the ScoringMathTea RAT as the primary payload
These enhancements illustrate Lazarus’s adaptability and its ongoing strategy of merging social engineering with weaponized software tools.
Rising Threat to Defense Contractors
ESET’s researchers warn that the incident highlights the growing threat to defense and aerospace firms, particularly those involved in UAV research and production.
“Given North Korea’s current push to expand its drone industry and arsenal, it’s highly probable that other organizations in this sector will become targets of similar campaigns,” ESET concluded.