Threat actors with ties to North Korea have been attributed to a new wave of attacks targeting European companies active in the defense industry as part of a long-running campaign known as Operation Dream Job.
“Some of these [companies] are heavily involved in the unmanned aerial vehicle (UAV) sector, suggesting that the operation may be linked to North Korea’s current efforts to scale up its drone program,” ESET security researchers Peter Kálnai and Alexis Rapin said in a report shared with The Hacker News.
It’s assessed that the end goal of the campaign is to plunder proprietary information and manufacturing know-how using malware families such as ScoringMathTea and MISTPEN. The Slovak cybersecurity company said it observed the campaign starting in late March 2025.
Some of the targeted entities include a metal engineering company in Southeastern Europe, a manufacturer of aircraft components in Central Europe, and a defense company in Central Europe.
While ScoringMathTea (aka ForestTiger) was previously observed by ESET in early 2023 in connection with cyber attacks targeting an Indian technology company and a defense contractor in Poland, MISTPEN was documented by Google Mandiant in September 2024 as part of intrusions aimed at companies in the energy and aerospace verticals. The first appearance of ScoringMathTea dates back to October 2022.
Operation Dream Job, first exposed by Israeli cybersecurity company ClearSky in 2020, is a persistent attack campaign mounted by a prolific North Korean hacking group dubbed Lazarus Group, which is also tracked as APT-Q-1, Black Artemis, Diamond Sleet (formerly Zinc), Hidden Cobra, TEMP.Hermit, and UNC2970. The hacking group is believed to be operational since at least 2009.
In these attacks, the threat actors leverage social engineering lures akin to Contagious Interview to approach prospective targets with lucrative job opportunities and trick them into infecting their systems with malware. The campaign also exhibits overlaps with clusters tracked as DeathNote, NukeSped, Operation In(ter)ception, and Operation North Star.
“The dominant theme is a lucrative but faux job offer with a side of malware: the target receives a decoy document with a job description and a trojanized PDF reader to open it,” ESET researchers said.
The attack chain leads to the execution of a binary, which is responsible for sideloading a malicious DLL that drops ScoringMathTea as well as a sophisticated downloader codenamed BinMergeLoader, which functions similarly to MISTPEN and uses Microsoft Graph API and tokens to fetch additional payloads.
Alternate infection sequences have been found to leverage an unknown dropper to deliver two interim payloads, the first of which loads the latter, ultimately resulting in the deployment of ScoringMathTea, an advanced RAT that supports around 40 commands to take complete control over the compromised machines.
“For nearly three years, Lazarus has maintained a consistent modus operandi, deploying its preferred main payload, ScoringMathTea, and using similar methods to trojanize open-source applications,” ESET said. “This predictable, yet effective, strategy delivers sufficient polymorphism to evade security detection, even if it is insufficient to mask the group’s identity and obscure the attribution process.”
Update
S2 Grupo’s LAB52 threat intelligence team, in an analysis published on October 24, 2025, said it’s tracking BinMergeLoader and other loaders deployed as part of the Dream Job campaign under the moniker DreamLoaders.
The cybersecurity company observed an instance where a trojanized version of the TightVNC client is used as a launchpad for two different kinds of loaders, including “TSVIPSrv.dll” and BinMergeLoader (“HideFirstLetter.dll”), which is launched in memory using sideloaded DLLs (“Webservices.dll” and “radcui.dll”).
TSVIPSrv.dll is “executed via a malicious service created by the attackers, named sessionenv,” LAB52 noted. “It also relies on two additional files previously placed by the attackers – wordpad.dll.mui and msinfo32.dll.mui – which contain the payloads to be loaded.”
The malicious DLL loader includes two Base64-encoded resources, a password, and a path to “wordpad.dll.mui,” which is then decoded to launch “msinfo32.dll.mui,” whose functionality remains unknown at this stage.
“The investigation into Lazarus group’s Dream Job campaign reveals a sophisticated and modular malware deployment strategy, leveraging legitimate system binaries and encrypted payloads to evade detection,” it added.
