The North Korean state-sponsored group Lazarus has initiated a sophisticated espionage campaign aimed at companies in Europe developing unmanned aerial vehicles (UAVs). Beginning in March 2025, the operation infiltrated multiple defense firms in Central and Southeastern Europe via fake job-offer phishing, then deployed advanced malware to extract proprietary design and manufacturing know-how for drones. This incident underscores the growing intersection of cyber threats and emerging aerospace technologies.
The Social-Engineering Entry Vector
Attackers commenced the campaign by posing as recruitment consultants offering lucrative positions. Recipients were sent trojanised PDF readers embedded with malicious loaders. When opened, these dropped payloads executed side-loading of DLLs labelled names like DroneEXEHijackingLoader.dll. The use of fake employment schemes, known as Operation DreamJob, allowed Lazarus to bypass traditional threat filters and gain initial access into high-value aerospace targets.
Malware, Side-Loading and Data Exfiltration
Once foothold was achieved, the intruders deployed the ScoringMathTea remote-access trojan (RAT). This malware gives attackers full control over the system, supports around 40 commands and communicates via encrypted channels using the IDEA algorithm followed by Base64 encoding. Researchers also identified reflective DLL injection and in-memory execution to evade disk-based detection. One droppers’ internal name intended for drone-tech theft reinforces the targeted nature of the campaign: DroneEXEHijackingLoader.dll.
Target Profile and Strategic Implications
The identified victims include a metal-engineering firm, an aircraft component manufacturer and a defense supplier active in the UAV sector. Some produced systems used in Ukraine and supply chain modules for single-rotor drones North Korea is believed to be reverse-engineering. The intelligence theft aligns with Pyongyang’s ambition to replicate advanced UAV designs and advance its domestic drone manufacturing capabilities.
Risks for the Drone Supply-Chain and Defense Industry
By exfiltrating design data and software, Lazarus potentially stripped competitive and strategic advantages from European suppliers. This attack demonstrates that even firms outside traditional critical infrastructure become nation-state targets when they support dual-use technologies like UAVs. For defense-supply organizations, this signals the need for robust personnel vetting, supply-chain visibility and threat-intelligence integration.
Detection & Mitigation Strategies
Security teams should focus on:
-
Blocking unsolicited job-offer emails with compressed archives and PDFs.
-
Monitoring for DLL side-loading events, especially in aerospace systems where unusual filenames (e.g., DroneEXEHijackingLoader.dll) appear.
-
Logging scheduled tasks, process injection and unusual network connections.
-
Employing endpoint solutions that detect reflective loading and memory-only payloads.
-
Segmenting aerospace-supply networks and enforcing strict access controls for engineers and R&D personnel.
-
Engaging external threat-intelligence feeds to monitor Lazarus-linked domains and RAT command-and-control infrastructure.
The Operation DreamJob campaign reveals a clear escalation: North Korea isn’t just targeting financial gain it is stealing technological designs to bolster its own UAV programmes. Defense contractors and aerospace suppliers must treat these attacks with the urgency and rigor normally reserved for major zero-day vulnerabilities. By doing so, they protect both technological innovation and national-security interests.
2 thoughts on “North Korean Hackers Hit UAV Industry with Job Offer Malware”