Lazarus Group's 'Operation DreamJob' Targets EU Drone-Makers

North Korean Lazarus Group Targets European Drone Companies in 'Operation DreamJob'

HIGH
October 24, 2025
5m read
Threat ActorCyberattackPhishing

Related Entities

Threat Actors

Lazarus Group Hidden Cobra

MITRE ATT&CK Techniques

T1589Reconnaissance

Gather Victim Identity Information

T1566.001Initial Access

Spearphishing Attachment

T1204.002Execution

Malicious File

T1027Defense Evasion

Obfuscated Files or Information

T1041Exfiltration

Exfiltration Over C2 Channel

Full Report

Executive Summary

The North Korean state-sponsored advanced persistent threat (APT) group known as the Lazarus Group (also tracked as Hidden Cobra) has been attributed to a new cyber-espionage campaign named Operation DreamJob. This highly targeted operation is aimed at European defense companies, with a specific focus on those developing Unmanned Aerial Vehicle (UAV) or drone technology. The group's primary tactic involves elaborate social engineering, using fake job recruitment lures to deliver malware. The objective of the campaign is the theft of valuable intellectual property and state secrets related to advanced military and aerospace technologies.

Threat Overview

  • Threat Actor: Lazarus Group (aka Hidden Cobra), a North Korean state-sponsored APT.
  • Campaign Name: Operation DreamJob.
  • Targets: European defense and aerospace companies, particularly those in the UAV sector.
  • Objective: Cyber-espionage and intellectual property theft.
  • Primary Tactic: Social Engineering via fake job offers.

Technical Analysis

Operation DreamJob is a classic example of the Lazarus Group's well-honed social engineering methodology. The attack chain is as follows:

  1. Reconnaissance and Targeting: The attackers identify key employees at target companies, such as engineers and project managers, often using professional networking sites like LinkedIn. This is a form of T1589 - Gather Victim Identity Information.
  2. Initial Contact (Lure): The attackers create fake profiles of recruiters from prominent defense or technology companies and initiate contact with the targeted employees. They present a convincing and attractive, but fake, job opportunity related to UAV technology.
  3. Malware Delivery: After establishing trust, the 'recruiter' sends the target a document, such as a job description or application form. This document is weaponized to deliver malware when opened. This could be a malicious macro in an Office document or an executable disguised as a PDF. This aligns with T1566.001 - Spearphishing Attachment and T1204.002 - Malicious File.
  4. Post-Exploitation: Once the initial malware (a dropper or backdoor) is executed, it establishes a foothold on the victim's machine and connects to a command-and-control (C2) server. From there, Lazarus operators can conduct further reconnaissance, move laterally within the network, and exfiltrate data.

This campaign demonstrates the group's patience and resourcefulness, investing time in building credible personas to bypass technical controls by exploiting human trust.

Impact Assessment

  • Intellectual Property Theft: The primary impact is the loss of highly sensitive and valuable IP related to cutting-edge drone and defense technology. This theft can erode a company's competitive advantage and provide a significant technological leap to North Korea's military program.
  • National Security Risk: The stolen technology could be used to develop or enhance North Korea's own military capabilities, posing a direct threat to regional and global security.
  • Economic Espionage: The theft of trade secrets represents a significant financial loss for the targeted companies and their respective countries.

IOCs

No specific Indicators of Compromise (IOCs) have been publicly released in the initial reports.

Detection & Response

  • User Awareness: The first line of defense is a vigilant and well-trained workforce. Employees should be trained to be suspicious of unsolicited job offers, especially those that seem too good to be true, and to verify the identity of recruiters through official channels.
  • Email and Document Sandboxing: Use email security solutions to scan and sandbox all incoming attachments. This can detonate the malicious document in a safe environment and identify the malware before it reaches the user.
  • Endpoint Detection and Response (EDR): Monitor for suspicious process chains, such as a Microsoft Word document spawning PowerShell or making network connections to unknown domains. This can detect the initial malware execution.
  • Network Egress Filtering: Restrict outbound connections to disrupt C2 communications. Lazarus often uses custom protocols, so monitoring for non-standard traffic is also crucial.

Mitigation

  • Employee Training: Implement a continuous security awareness program focused on social engineering and phishing. Conduct regular phishing simulations using job-offer-themed lures. This is a direct application of User Training.
  • Block Personal Email: Enforce policies that prevent employees from accessing personal email or social media on corporate devices to reduce the risk of lures reaching them.
  • Application Hardening: Configure Microsoft Office applications to disable macros by default and warn users before enabling them.
  • Least Privilege: Ensure that even if an employee's machine is compromised, the attacker does not immediately gain broad access to the network. Segment networks and enforce strict access controls.

Timeline of Events

1
October 24, 2025
This article was published

MITRE ATT&CK Mitigations

User Training

M1017enterprise

The most critical defense against a social engineering campaign like Operation DreamJob is training employees to be skeptical of unsolicited contact and to verify recruiters' identities through official channels.

Antivirus/Antimalware

M1049enterprise

Use EDR and antivirus solutions to detect and block the malicious payloads delivered by the lure documents.

Mapped D3FEND Techniques:

D3-FCRD3-FHD3-PA

Software Configuration

M1054enterprise

Harden software configurations, such as disabling macros in Microsoft Office, to prevent the execution of code from weaponized documents.

Mapped D3FEND Techniques:

D3-ACHD3-CP

D3FEND Defensive Countermeasures

Dynamic Analysis

D3-DAMaps to MITREM1048
D3FEND

To counter the malware delivery vector of Operation DreamJob, defense companies must use an email security gateway with advanced sandboxing capabilities. This involves automatically routing all incoming email attachments, especially Office documents and PDFs, to an isolated environment for dynamic analysis. In this sandbox, the file is opened, and its behavior is monitored. If the document attempts to run a macro, execute PowerShell, or make a network connection to download a payload, the sandbox will flag it as malicious and block it from ever reaching the employee's inbox. This automates the detection of the weaponized lure documents used by Lazarus, providing a critical technical control to backstop human error.

User Behavior Analysis

D3-UBAMaps to MITREM1017
D3FEND

Since Operation DreamJob's success hinges on tricking an employee, continuous security awareness training is the most important non-technical countermeasure. For high-value targets like defense contractors, this must go beyond annual training. Conduct frequent, targeted phishing simulations that mimic the TTPs of Lazarus, using sophisticated job offer lures. Track failure rates and provide immediate, contextual feedback to employees who click. Train employees to be deeply suspicious of any unsolicited contact from 'recruiters' and to independently verify their identity by contacting the supposed hiring company through its official website or phone number, not by using contact information from the suspicious email.

Executable Allowlisting

D3-EALMaps to MITREM1038
D3FEND

To prevent the malware payload from running even if an employee is tricked, organizations should implement application control or executable allowlisting on employee workstations. In a properly configured allowlisting environment, only approved and signed applications are permitted to run. When the Lazarus lure document attempts to drop and execute its second-stage malware payload, the operating system would block the execution because the malware's hash or publisher is not on the allowlist. While challenging to implement in diverse environments, this is a powerful control that can effectively neutralize the execution phase of the attack.

Sources & References

Lazarus targets European defense firms in UAV-themed Operation DreamJob
Security Affairs (securityaffairs.com) October 23, 2025
North Korean Hackers Deploy “Drone” Malware in Targeting of European UAV Manufacturers
The Cyber Express (thecyberexpress.com) October 24, 2025
SecurityWeek: Cybersecurity News, Insights and Analysis
SecurityWeek (securityweek.com) October 24, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

Lazarus GroupOperation DreamJobAPTCyber-espionageDefense Industry

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next