A new wave of targeted attacks against European drone manufacturers and defense contractors has been initiated by Lazarus, a sophisticated hacking group affiliated with North Korea and also known as HIDDEN COBRA This article explores drone manufacturers defense. . The initiative, known as Operation DreamJob, was launched in late March 2025 and focuses on companies in Central and Southeast Europe that are creating unmanned aerial vehicle technology.

This activity has been identified by researchers as part of a larger strategic effort by North Korea to expedite its domestic drone program, especially in light of the increased investment in modern warfare capabilities seen in the conflict between Russia and Ukraine. The campaign is a major increase in cyberespionage methods used to steal intellectual property and confidential manufacturing data from the defense and aerospace industries.

At least two of the three European firms that have been identified as targets are heavily involved in the development of cutting-edge single-rotor drones and the production of vital UAV components that are currently being used in conflict areas. These attacks are timed to coincide with North Korea's alleged attempts to produce combat and reconnaissance drones in large quantities that resemble Western models like the RQ-4 Global Hawk and MQ-9 Reaper. The malware infrastructure utilized in these attacks uses advanced delivery mechanisms intended to circumvent conventional security defenses, according to Welivesecurity analysts and researchers.

Examples of 2025 Operation DreamJob execution chains that provide ScoringMathTea and BinMergeLoader (Source: Welivesecurity) In order to trick employees into downloading trojanized documents, the attack starts with social engineering, specifically using fictitious job offers for prestigious positions.

The malware uses a series of specialized tools to maintain persistent access and evade detection on compromised systems once it has been executed. Mechanism of infection DLL side-loading, a method by which trustworthy Windows programs are used to load malicious libraries without raising security alerts, is the main infection mechanism. A dropper that exports from a genuine Microsoft library and has a dubious internal name (Source: Welivesecurity) Trojanized versions of well-known open-source programs, such as TightVNC Viewer, MuPDF reader, and WinMerge plugins, have been infected with the attackers' malware.

The internal filename DroneEXEHijackingLoader.dll, which directly alludes to the attackers' campaign's emphasis on drone technology, was found in one especially illuminating dropper.

Learn more about cloud computing Software as a service Safe web hosting Training in security awareness Solutions for network security Tools for remote access Services for cloud security Cybersecurity Access control for cyber computers ScoringMathTea, a remote access trojan that gives attackers total control over compromised machines, is the primary payload used in all incidents. About forty distinct commands are available for system manipulation, file exfiltration, and additional payload deployment in this sophisticated malware. ScoringMathTea's ability to stay fully encrypted on disk and only decrypt in memory during execution makes it extremely dangerous.

Without sophisticated behavioral monitoring, traditional file-based detection is practically impossible. Set CSN as a Preferred Source in Google to Receive More Instant Updates from LinkedIn and X.