Norks droning on about your dream job while pwning your PC
Summary
North Korea’s Lazarus Group has run an Operation DreamJob campaign that targeted Europe’s UAV (drone) sector by luring job seekers and defence contractors with fake employment offers. Victims included companies making aircraft components and UAV-related software; at least some kit is in use by Ukrainian forces. Attackers used social engineering to deliver trojanised open-source tools and loaders, then deployed a remote-access trojan called ScoringMathTea (aka ForestTiger) to fully compromise machines and exfiltrate data.
The campaign (spotted by ESET) began in late March and reuses DreamJob tradecraft: malicious job PDFs, trojanised binaries and side-loaded libraries (one internal DLL named DroneEXEHijackingLoader.dll). Trojanised components included TightVNC, MuPDF, Notepad++ plugins, libpcre and other open-source projects repackaged as droppers/loaders. ScoringMathTea supports ~40 commands for file/process control, configuration exchange and fetching further payloads from command-and-control servers.
Key Points
- Operation DreamJob uses convincing fake job offers and social engineering to gain initial access.
- Lazarus targeted European UAV supply-chain firms — makers of drone parts and UAV software.
- Attackers trojanised widely used open-source projects and plugins to create droppers and loaders.
- One dropper contains the internal name DroneEXEHijackingLoader.dll, linking the campaign to UAV-focused objectives.
- The final payload is ScoringMathTea/ForestTiger, a powerful RAT with ~40 commands enabling full remote control and data theft.
- Suspected motivation: steal IP and intel on Western-made UAVs used in the Russia–Ukraine war and support Pyongyang’s drone efforts.
- This attack illustrates supply-chain risk from trojanised FOSS and plugins used in engineering and defence contexts.
Context and relevance
Supply-chain compromise and social-engineering campaigns are longstanding Lazarus tactics; DreamJob has been active since 2020. The focus on UAV companies matters because drones are strategically important in modern conflicts and industrial supply chains. Repackaging open-source binaries and plugins as droppers raises the bar for defenders: standard tooling can be weaponised, making software provenance and integrity checks critical for firms in aerospace, defence and related sectors.
For security teams and CISOs this is a timely reminder to harden recruitment channels, vet attachments and installers thoroughly, monitor for side-loading and unusual library names, and treat any unsolicited job-related documents with suspicion. For organisations in the drone supply chain, the risk includes IP theft and espionage that could influence battlefield capabilities.
Why should I read this?
Look — if you hire people, touch drone tech, or rely on open-source plugins, this one’s worth five minutes. Lazarus isn’t doing random mischief: they’re targeting kit that matters. We’ve pulled the salient bits for you so you know what to block, watch for and tell HR to stop opening. Seriously, pass this to your security and hiring teams.
Author style
Punchy: this isn’t a minor phishing run — it’s a purposeful, supply-chain-aware campaign against defence suppliers. If you manage security for industrial, aerospace or defence vendors, read the ESET write-up linked below for indicators and mitigation details.