A new series of cyber-attacks targeting European defense companies involved in drone development has been uncovered by cybersecurity researchers.
The activity, attributed by ESET to the North Korea-aligned Lazarus Group, marks the latest phase of Operation DreamJob, a long-running cyber-espionage campaign aimed at stealing sensitive military and aerospace data.
Lazarus Group Refines Espionage Tactics
The campaign, detected in March 2025, focused on three European firms – a metal engineering company, an aircraft components manufacturer and a defense contractor.
All were tricked using social-engineering tactics involving fake job offers, an established hallmark of Operation DreamJob. Victims were lured into opening trojanized PDF readers that secretly installed malware.
ESET’s telemetry revealed the use of “ScoringMathTea,” a remote access Trojan (RAT) capable of giving attackers full control over compromised systems.
The malware was delivered through a series of droppers and loaders disguised as legitimate software components, including manipulated open-source projects from GitHub.
The Drone Connection
One of the key malicious files, DroneEXEHijackingLoader.dll, led researchers to suspect that this campaign specifically sought UAV-related data. Two of the targeted companies are involved in the production of drone parts or software, an area North Korea is currently aiming to advance.
Read more on North Korean cyber-espionage operations: AI-Forged Military IDs Used in North Korean Phishing Attack
The timing of the attacks coincides with reports of North Korean soldiers supporting Russian operations in Ukraine, raising the possibility that the campaign aimed to gather intelligence on Western-made drones deployed in the conflict.
ESET believes this could support Pyongyang’s ambitions to enhance its own UAV designs, many of which bear substantial similarities to US military drones like the RQ-4 Global Hawk and MQ-9 Reaper.
Tools and Techniques
According to ESET, the attackers introduced new elements to their toolset in 2025, including:
-
Trojanized open-source applications such as TightVNC Viewer and MuPDF
-
New loaders and downloaders built from DirectX Wrappers and Notepad++ plugins
-
The continued use of ScoringMathTea as the main payload
These updates demonstrate Lazarus’s ongoing effort to refine its techniques while maintaining its characteristic strategy of blending social engineering with malware-laced software tools.
ESET concluded that this latest campaign underscores the persistent risk faced by the defense sector, particularly those engaged in UAV research.
“Considering North Korea’s current efforts at scaling up its drone industry and arsenal, it seems likely that other organizations active in this sector will whet the appetite of North Korea-aligned threat actors in the near future.”
