Executive Summary

Recent threat intelligence from leading cybersecurity vendors, including ESET, has confirmed that North Korean state-sponsored actors, specifically the Lazarus Group (also known as APT38 or HIDDEN COBRA), are actively targeting European companies in the unmanned aerial vehicle (UAV) and drone technology sector. This campaign, identified as a new wave of Operation DreamJob, employs advanced social engineering, trojanized open-source software, and custom remote access trojans (RATs) to exfiltrate proprietary drone technology and sensitive manufacturing data. The attackers’ primary objective is to accelerate North Korea’s domestic drone program and bolster its military export capabilities. At least three European defense and aerospace firms have been compromised, with the campaign ongoing and evolving in sophistication.

Threat Actor Profile

The Lazarus Group is a highly sophisticated, North Korean state-aligned advanced persistent threat (APT) actor with a long history of cyberespionage, financial theft, and disruptive operations. Known for campaigns such as Operation DreamJob, Operation North Star, and Operation In(ter)ception, the group leverages a diverse toolkit and demonstrates advanced operational security. Their targeting of the European UAV sector aligns with North Korea’s strategic priorities to acquire advanced military technology and circumvent international sanctions. The group is characterized by its use of custom malware, supply chain attacks, and highly tailored spear-phishing lures, often impersonating recruiters or leveraging fake job offers to gain initial access.

Technical Analysis of Malware/TTPs

The attack chain begins with highly targeted social engineering. Victims, typically engineers or executives in UAV and defense firms, receive fake job offers via LinkedIn or email. These lures are crafted to appear as legitimate recruitment communications from well-known defense contractors or aerospace firms. The communication includes a decoy document and a trojanized open-source application, such as a modified MuPDF PDF reader, TightVNC viewer, or Notepad++ plugin.

Upon execution, the trojanized software side-loads a malicious DLL, such as DroneEXEHijackingLoader.dll, exploiting the legitimate application’s trust to evade detection. The primary payload, ScoringMathTea RAT (also known as ForestTiger), is a modular remote access trojan capable of executing over 40 commands, including file and process manipulation, system reconnaissance, command execution, and additional payload delivery. This RAT is continuously updated and has been observed in attacks against technology and defense firms in India, Poland, the UK, and Italy.

For persistence and further exploitation, the attackers deploy additional loaders such as BinMergeLoader, which leverages the Microsoft Graph API and API tokens for stealthy command and control (C2) communications. The malware communicates with C2 infrastructure hosted on compromised legitimate websites, often WordPress-based, using encrypted (IDEA or AES) and base64-encoded traffic to obfuscate exfiltration and command channels.

The attackers have also weaponized a range of open-source projects, including MuPDF, TightVNC, Notepad++ plugins (NPPHexEditor, ComparePlus), WinMerge plugins, DirectX Wrappers, and libpcre. These trojanized components are tailored for each target, with the most consistently observed versions being MuPDF v3.3.3 and libpcre v8.45.

Indicators of Compromise (IOCs)

Key file hashes associated with this campaign include webservices.dll (SHA-1: 03D9B8F0FCF9173D2964CE7173D21E681DFA8DA4), TSMSISrv.dll (SHA-1: 28978E987BC59E75CA22562924EAB93355CF679E), libmupdf.dll (SHA-1: 5E5BBA521F0034D342CC26DB8BCFECE57DBD4616), radcui.dll (SHA-1: B12EEB595FEEC2CFBF9A60E1CC21A14CE8873539), HideFirstLetter.DLL (SHA-1: 26AA2643B07C48CB6943150ADE541580279E8E0E), libpcre.dll (SHA-1: 0CB73D70FD4132A4FF5493DAA84AAE839F6329D5), and ComparePlus.dll (SHA-1: CB7834BE7DE07F89352080654F7FEB574B42A2B8).

C2 infrastructure includes domains such as coralsunmarine[.]com, kazitradebd[.]com, oldlinewoodwork[.]com, www.mnmathleague[.]org, pierregems[.]com, ecudecode[.]mx, and partnerls[.]pl, with malicious payloads often delivered via paths like /wp-content/themes/flatsome/inc/functions/function-hand.php and similar.

The campaign’s tactics, techniques, and procedures (TTPs) map to the MITRE ATT&CK framework as follows: resource development via compromised infrastructure (T1584.004), user execution of malicious files (T1204.002), persistence through DLL side-loading (T1574.002), defense evasion using obfuscated and encrypted payloads (T1140, T1027), discovery of files and processes (T1083, T1057), C2 over web protocols (T1071.001), and exfiltration over C2 channels (T1041).

Exploitation in the Wild

The campaign has resulted in confirmed compromises of at least three European companies in the defense and UAV sector, including organizations specializing in metal engineering, aircraft components, and defense manufacturing. Victims have been observed in Italy, Spain, and across Central and Southeastern Europe. The initial infection vector is almost exclusively social engineering, with attackers leveraging fake job offers to entice high-value targets into executing trojanized software. Once inside the network, the attackers deploy ScoringMathTea RAT, BinMergeLoader, QuanPinLoader, and other custom malware to establish persistence, escalate privileges, and exfiltrate sensitive data.

The attackers’ use of legitimate, compromised websites for C2 infrastructure, combined with encrypted and obfuscated communications, has enabled them to evade many traditional detection mechanisms. The campaign’s focus on intellectual property theft, particularly proprietary UAV designs and manufacturing processes, underscores the strategic value of the targeted data.

Victimology and Targeting

The primary targets are European companies operating in the defense, aerospace, and UAV/drone technology sectors. The attackers have demonstrated a high degree of selectivity, focusing on organizations with advanced engineering capabilities and access to sensitive intellectual property. Countries affected include Italy, Spain, Poland, the UK, India, Portugal, and Germany, with a particular emphasis on firms involved in metal engineering, aircraft component manufacturing, and defense technology development.

The attackers’ social engineering tactics are highly tailored, often referencing real job openings and leveraging detailed knowledge of the target organization’s structure and personnel. This level of sophistication suggests significant reconnaissance and a deep understanding of the European defense supply chain.

Mitigation and Countermeasures

Organizations in the UAV and defense sectors should implement a multi-layered defense strategy to mitigate the risk posed by this campaign. Key recommendations include:

Blocking and monitoring all known IOCs and C2 domains associated with the campaign, including those listed above and in the referenced ESET GitHub repository. Educating staff, particularly those in sensitive engineering and executive roles, about the risks of targeted social engineering and the specific tactics used in fake job offer lures. Auditing and restricting the execution of unsigned or unexpected DLLs and open-source software, especially in environments handling sensitive intellectual property. Monitoring for suspicious process injection, DLL side-loading, and encrypted outbound traffic to unknown or suspicious domains, with a focus on detecting anomalous use of open-source tools and plugins. Implementing robust endpoint detection and response (EDR) solutions capable of identifying and blocking the execution of known malicious payloads such as ScoringMathTea RAT and BinMergeLoader. Regularly reviewing and updating incident response plans to ensure rapid containment and remediation in the event of a compromise.

References

ESET WeLiveSecurity: Gotta fly: Lazarus targets the UAV sector (Oct 2025), SecurityWeek: North Korean Hackers Aim at European Drone Companies, The Hacker News: North Korean Hackers Lure Defense Engineers With Fake Jobs, DarkReading: Lazarus Group Hunts European Drone Manufacturing Data, ESET GitHub: Lazarus Operation DreamJob UAV IOCs

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and respond to emerging threats, ensuring the resilience of critical business operations. For more information about how Rescana can help your organization strengthen its cyber defense posture, we are happy to answer questions at ops@rescana.com.