The exploitation of drone-manufacturing capacity by cyber-espionage actors has entered a new phase. In late October 2025, the Lazarus Group orchestrated an extensive campaign aimed at European defence and unmanned-aerial-vehicle (UAV) manufacturers. The group leveraged the hallmark “dream job” lure, delivering malware that grants persistent access. The objective: theft of proprietary UAV technologies and manufacturing processes, aligning with North Korea’s aggressive drone-development agenda.
Targeting the Drone Supply Chain
Analysts at ESET identified three unnamed manufacturers in Central and Southeastern Europe, all tied to UAV development, as victims of the campaign. The intruders posed as recruiters offering prestigious engineering positions. Upon opening trojanised PDF readers, victims unwittingly executed the remote-access trojan ScoringMathTea. Once deployed, the RAT enabled full lateral movement and data exfiltration. The code base even included the keyword “drone” embedded in loader filenames reinforcing the espionage focus.
Fake Job Offers Meet Open-Source Trojans
The campaign reflects a mature social-engineering playbook. First, the threat actors trojanised open-source tools hosted on GitHub. Then they distributed them via fake engineering job postings to UAV-related firms. The victims believed they were attending interviews; instead they executed malware. The loaders sideloaded legitimate libraries such as “DroneEXEHijackingLoader.dll” before deploying ScoringMathTea. This multi-stage execution chain underscores how advanced and persistent the Lazarus Group has become.
Why Drone-Manufacturing Matters to North Korea
North Korea has rapidly expanded its UAV ambitions. Analysts note that Pyongyang’s recent activities mirror features of Western-made systems. By targeting European drone manufacturers, the Lazarus Group likely sought manufacturing processes, design blueprints and software frameworks that Pyongyang could replicate or reverse-engineer. This strategy aligns with earlier state-sponsored espionage targeting aerospace and defence sectors. The involvement of these European firms in Ukraine’s drone-assistance programmes adds further strategic relevance.
Implications for Defence-Industry Cybersecurity
The attack signals a shift: supply-chain integrity in defence and aerospace is under threat, not just from insider negligence or hardware compromise but from targeted recruitment ruses. Organisations must view fake job offers as a credible vector. Companies operating within the UAV ecosystem should assume the following: attackers will pose as genuine recruiters, payloads will arrive via seemingly benign engineering tools, and once inside, attackers will move rapidly to extract or sabotage IP.
Mitigation Strategies for Aerospace and UAV Firms
-
Institute rigorous screening of unsolicited recruitment communications and validate every external hiring channel.
-
Employ application-whitelisting for PDF readers and remote-access tools; disable execution of unverified binaries in critical systems.
-
Conduct regular tabletop exercises simulating “fake job offer” phishing as part of organisational resilience plans.
-
Monitor for unusual job-portal traffic, document-viewer installs or external C2-communications originating from engineering workstations.
-
Secure supply-chain transparency: align with vendors and subcontractors to ensure they implement comparable hiring and software-validation controls.
The Lazarus Group’s latest campaign demonstrates that North Korea’s cyber-espionage apparatus remains adaptive and capable. By targeting European drone-manufacturers under the cover of fake job posts, the group exploited human-factors and supply-chain vulnerabilities rather than relying on headline-grabbing zero-day exploits. For aerospace, defence and UAV firms operating globally, the lesson is clear: threat vectors evolve, but control of recruitment and software-validation processes remains a frontline defence.
One thought on “Lazarus Group and the European Drone Industry: What’s at Risk”