惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threatpost
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Engineering at Meta
Engineering at Meta
T
The Blog of Author Tim Ferriss
Recent Announcements
Recent Announcements
G
Google Developers Blog
Google DeepMind News
Google DeepMind News
The Register - Security
The Register - Security
MongoDB | Blog
MongoDB | Blog
U
Unit 42
B
Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
L
LangChain Blog
Stack Overflow Blog
Stack Overflow Blog
P
Privacy International News Feed
L
LINUX DO - 最新话题
博客园_首页
博客园 - Franky
大猫的无限游戏
大猫的无限游戏
小众软件
小众软件
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Tor Project blog
V
Visual Studio Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
P
Privacy & Cybersecurity Law Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
K
Kaspersky official blog
C
Cisco Blogs
博客园 - 【当耐特】
阮一峰的网络日志
阮一峰的网络日志
I
Intezer
罗磊的独立博客
MyScale Blog
MyScale Blog
Last Week in AI
Last Week in AI
A
About on SuperTechFans
G
GRAHAM CLULEY
Y
Y Combinator Blog
Microsoft Security Blog
Microsoft Security Blog
GbyAI
GbyAI
T
Threat Research - Cisco Blogs
P
Proofpoint News Feed
D
DataBreaches.Net
The Hacker News
The Hacker News
Spread Privacy
Spread Privacy
AWS News Blog
AWS News Blog
I
InfoQ
T
The Exploit Database - CXSecurity.com
Simon Willison's Weblog
Simon Willison's Weblog
博客园 - 叶小钗
Project Zero
Project Zero

RSS

Events and conferences Events and conferences Events and conferences Events and conferences Events and conferences Events and conferences Events and conferences Events and conferences Events and conferences Events and conferences Events and conferences Events and conferences Events and conferences Vietnam-aligned OceanLotus pivots to spy on domestic targets as it takes a more selective approach abroad, ESET Research finds Events and conferences Canon Canada Partners with ESET to Expand Cybersecurity Services ESET releases 2026 SMB Cyber Readiness Index showing growing confidence but also concerns about AI ESET has been named the only Challenger in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection ESET Research APT Report: China-aligned groups spy in Venezuela and the Gulf, target AI robotics in S. Korea Events and conferences ESET uncovers the expanded arsenal of China-aligned Webworm; European governments targeted ESET reaffirms its global market presence with new European and Asian offices ESET supercharges AI innovation with investment to address rapidly expanding attack surface ESET joins the Agentic AI Foundation to help shape safe, human‑led agentic AI ESET’s Tony Anscombe to Co-Chair NetDiligence Cyber Risk Summit Belarus-aligned FrostyNeighbor attacks Ukrainian government, again — ESET Research discovers ESET Research uncovers CallPhantom scam on Google Play: Fake logs for real money North Korea-aligned APT group ScarCruft compromises gaming platform in supply‑chain espionage attack, ESET Research finds ESET Research discovers new China-aligned group, GopherWhisper: It abuses messaging services Discord, Slack, and Outlook to spy ESET Research: New NGate hides in NFC payment app, possibly built with AI ESET finds that SMBs currently leverage cyber insurance to arm against attacks, report incidents and improve resilience ESET previews new AI security features to secure chatbot communications and AI workflows ESET wins four Global InfoSec Awards at RSAC 2026 ESET receives Intel vPro Certified App status – Delivering performance benefits for business customers while advancing threat detection capability ESET launches Cloud Workload Protection and AI enhancements for ESET PROTECT customers ESET presents six sessions at RSAC 2026 to advance cyber resilience ESET Research: A deep dive into EDR killers - a cornerstone of modern ransomware operations ESET sets new integration with Lumu ESET Endpoint Security for Windows v12 achieves Common Criteria certification ESET PRIVATE showcases custom security solutions at RSAC 2026 ESET launches eCrime reports ESET Research: One of Russia’s most notorious groups, Sednit, resurges with spyware in Ukraine ESET Opens 2026 Women in Cybersecurity Scholarship Applications CRN Honors ESET on Security 100 List for MDR and AI Innovations ESET’s Ryan Grant Named a 2026 CRN Channel Chief ESET Research discovers PromptSpy, the first Android threat to use generative AI ESET Named Finalist for Best Security Company in Expert Insights Awards 2026 ESET’s Tony Anscombe to Speak at NetDiligence Cyber Risk Summit Russian Sandworm group attacks energy company in Poland with DynoWiper, ESET Research discovers Fake dating app used as lure in spyware campaign targeting Pakistan, ESET Research discovers ESET is a Customers’ Choice for Endpoint Protection according to Gartner® Peer Insights™ ESET Research analyzed a critical flaw in Windows Imaging Component, which abuses JPG files ESET Wins CRN’s 2025 Gender Parity Award New Chinese group LongNosedGoblin deploys cyberespionage tools in Southeast Asia and Japan, ESET Research discovers ESET Threat Report: AI-driven attacks on the rise; NFC threats increase and evolve in sophistication Iran’s MuddyWater targets critical infrastructure in Israel and Egypt, masquerades as Snake game – ESET Research discovers ESET Research: Chinese PlushDaemon group compromises network devices for adversary-in-the-middle attacks ESET Research APT Report: Russian attacks surge in Ukraine and Europe; Chinese groups target Latin American governments ESET named a Leader in IDC MarketScape for Consumer Digital Life Protection ESET Research discovers new spyware posing as messaging apps targeting users in the UAE ESET Enhances Free Cybersecurity Awareness Training + CSAM Resources ESET Research’s deep dive into DeceptiveDevelopment, North Korean crypto theft via fake job offers ESET Research: Russian FSB-linked Gamaredon and Turla team up to target high-profile Ukrainian entities SDSU Athletics x ESET: Proud Partnership for Student-Athlete Success ESET Research discovers UEFI-compatible HybridPetya ransomware capable of Secure Boot bypass ESET at MSP Summit 2025: Field CISO Keynote + XDR Partner Events ESET Named a Strong Performer in Independent Evaluation of MDR Services in Europe ESET Research discovers new Chinese threat group: GhostRedirector manipulates Google, poisons Windows servers with backdoors ESET discovers PromptLock, the first AI-powered ransomware" on page ESET Research: Russian RomCom group exploits new vulnerability, targets companies in Europe and Canada ESET PROTECT Elite is a Security Winner of the 2025 CRN Tech Innovators ESET has strengthened its position in the 2025 Gartner® Magic Quadrant™ for Endpoint Protection Platforms ESET Research uncovers variants of AsyncRAT, popular choice of cybercriminals Meet the 2025 Women in Cybersecurity Scholarship Winners ESET Named a 2025 Gartner® Peer Insights™ Customers’ Choice for Endpoint Protection ESET Named a Notable Provider in latest European MDR Landscape Report ESET Wins 2025 SC Award for Ransomware Remediation ESET Research discovers the first UEFI bootkit for Linux ESET Research discovers Mozilla and Windows zero day & zero click vulnerabilities exploited by Russia-aligned RomCom APT group ESET Research discovers WolfsBane, new Linux cyberespionage backdoor by China-aligned Gelsemium Days after takedown, ESET Research releases analysis of RedLine Stealer infostealer empire ESET releases latest APT report: China-aligned groups expand targeting; Iran advances diplomatic espionage ESET Research discovers new China-aligned APT group CeranaKeeper, which targeted the Thai government ESET Threat Report: Infostealers using AI & banking malware creating deepfake videos to steal money ESET Research: Ebury botnet alive & growing; 400k Linux servers compromised for cryptocurrency theft and financial gain ESET Research releases latest APT Activity Report, highlighting cyber warfare of Russia-, China-, and Iran-aligned groups ESET Research joins global operation to disrupt the Grandoreiro banking trojan operating in Latin America and Spain Iran-linked OilRig attacks Israeli organizations with cloud service-powered downloaders, ESET Research discovers ESET Research: Official Python repository served cyberespionage backdoor, gathered 10,000+ downloads Predatory SpyLoan apps — loan sharks expand their range to Android, ESET Research finds ESET Research dives into the onboarding and scamming processes of Telekopye online fraudsters ESET Research: Android malware Kamran spying via news app on residents of the disputed Kashmir region ESET Research: Infamous IoT botnet Mozi taken down via a kill switch ESET APT Activity Report: China-aligned groups campaign against EU targets; prime target of Russia-aligned groups remains Ukraine ESET Research announces comprehensive report on Latin America’s threat landscape titled ‘Looking into TUT’s tomb: The universe of threats in LATAM’ ESET Research discovers Operation Jacana, targeting governmental entity in Guyana, likely by Chinese threat group ESET Research: North Korea-linked Lazarus impersonates Meta on LinkedIn to attack an aerospace company in Spain ESET and Calgary Flames Sign Multi-Year Partnership ESET Celebrates 10 Years in Montreal ESET Business Bundles Launch on Ingram Micro Cloud Marketplace
North Korean Lazarus group targets the drone sector in Europe, likely for espionage, ESET Research discovers
2025-10-23 · via RSS
  • Lazarus targeted several companies active in the defense industry in Central and Southeastern Europe. Some of these are heavily involved in the unmanned aerial vehicle (UAV / drones) sector.
  • Lazarus attacks against companies developing UAV technology align with recently reported developments in the North Korean drone program.
  • The suspected primary goal of the attackers was likely the theft of proprietary information and manufacturing know-how.
  • Based on the social-engineering technique used for initial access, trojanizing open-source projects from GitHub, and the deployment of ScoringMathTea, we consider these attacks to be a new wave of the Operation DreamJob campaign.

PRAGUE, BRATISLAVAOctober 23, 2025 — ESET researchers have recently observed a new instance of Operation DreamJob — a campaign that ESET tracks under the umbrella of North Korea-aligned Lazarus group — in which several European companies active in the defense industry were targeted. Some of these are heavily involved in the unmanned aerial vehicle (UAV / drones) sector, suggesting that the operation may be linked to North Korea’s current efforts to scale up its drone program. The in-the-wild attacks successively targeted three companies active in the defense sector in Central and Southeastern Europe. Initial access was almost certainly achieved via social engineering. The main payload deployed to the targets was ScoringMathTea, a remote-access trojan (RAT) that offers the attackers full control over the compromised machine. The suspected primary goal of the attackers was exfiltration of proprietary information and manufacturing know-how.

In Operation DreamJob, the dominant theme of social engineering is a lucrative, but faux, job offer served with a side of malware: The target usually receives a decoy document with a job description and a trojanized PDF reader to open it. ESET Research attributes this activity with a high level of confidence to Lazarus, particularly because of its campaigns related to Operation DreamJob, and because the targeted sectors, located in Europe, align with the targets of the previous instances of Operation DreamJob (aerospace, defense, engineering).

The three targeted organizations manufacture different types of military equipment (or parts thereof), many of which are currently deployed in Ukraine as a result of European countries’ military assistance. At the time of Operation DreamJob’s observed activity, North Korean soldiers were deployed in Russia, reportedly to help Moscow repel Ukraine’s offensive in the Kursk region. It is thus possible that Operation DreamJob was interested in collecting sensitive information on some Western-made weapons systems currently employed in the Russia-Ukraine war. More generally, these entities are involved in the production of types of materiel that North Korea also manufactures domestically, and for which it might be hoping to perfect its own designs and processes. The interest in UAV-related know-how is notable, as it echoes recent media reports indicating that Pyongyang is investing heavily in domestic drone manufacturing capabilities. North Korea has relied heavily on reverse engineering and intellectual property theft to develop its domestic UAV capabilities. 

“We believe that it is likely that Operation DreamJob was — at least partially — aimed at stealing proprietary information, and manufacturing know-how, regarding UAVs. The drone mention observed in one of the droppers significantly reinforces this hypothesis,” says ESET researcher Peter Kálnai, who discovered and analyzed these latest Lazarus attacks. “We have found evidence that one of the targeted entities is involved in the production of at least two UAV models that are currently employed in Ukraine, and which North Korea may have encountered on the front line. This entity is also involved in the supply chain of advanced single-rotor drones, a type of aircraft that Pyongyang is actively developing,” adds Alexis Rapin, ESET cyberthreat analyst.

Generally, Lazarus attackers are highly active and deploy their backdoors against multiple targets. This frequent use exposes these tools and enables their detection. As a countermeasure, the group’s tools are preceded in the execution chain by a series of droppers, loaders, and simple downloaders. The attackers decided to incorporate their malicious loading routines into open-source projects available on GitHub.

The main payload, ScoringMathTea, is a complex RAT that supports around 40 commands. Its first appearance can be traced back to VirusTotal submissions from Portugal and Germany in October 2022, where its dropper posed as an Airbus-themed job offer lure. The implemented functionality is the usual required by Lazarus: manipulation of files and processes, exchanging the configuration, collecting the victim’s system info, opening a TCP connection, and executing local commands or new payloads downloaded from the C&C server. Regarding ESET telemetry, ScoringMathTea was seen in attacks against an Indian technology company in January 2023, a Polish defense company in March 2023, a British industrial automation company in October 2023, and an Italian aerospace company in September 2025. It seems that it is one of the flagship payloads for Operation DreamJob campaigns.

The group’s most significant evolution is the introduction of new libraries designed for DLL proxying and the selection of new open-source projects to trojanize for improved evasion. “For nearly three years, Lazarus has maintained a consistent modus operandi, deploying its preferred main payload, ScoringMathTea, and using similar methods to trojanize open-source applications. This predictable, yet effective, strategy delivers sufficient polymorphism to evade security detection, even if it is insufficient to mask the group’s identity and obscure the attribution process,” concludes Kálnai.

The Lazarus group (also known as HIDDEN COBRA) is an APT group linked to North Korea that has been active since at least 2009. It is responsible for high-profile incidents. The diversity, number, and eccentricity in implementation of Lazarus campaigns define this group, as well as the fact that it performs all three pillars of cybercriminal activities: cyberespionage, cybersabotage, and pursuit of financial gain.

Operation DreamJob is a codename for Lazarus campaigns that rely primarily on social engineering, specifically using fake job offers for prestigious or high-profile positions (the “dream job” lure). Targets are predominantly in the aerospace and defense sectors, followed by engineering and technology companies, and the media and entertainment sector.

For a more detailed analysis of the latest Lazarus DreamJob campaign against the UAV sector, check out the latest ESET Research blogpost “Gotta fly: Lazarus targets the UAV sector” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.

Examples of 2025 Operation DreamJob execution chains delivering ScoringMathTea

About ESET

ESET® provides cutting-edge cybersecurity to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown—securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow our social media, podcasts, and blogs.