North Korean Lazarus APT Targets EU Defense Firms via Dream Job Lures
Category:Threat Alerts / Threat Intelligence
ESET and allied researchers attribute 'Operation Dream Job' to North Korean-linked Lazarus actors who used fake job offers to target European defense companies involved in UAV development. Lures included trojanized PDF readers and decoy documents; payloads observed include ScoringMathTea and MISTPEN families and a downloader named BinMergeLoader that abuses Microsoft Graph tokens to pull additional modules. The operation aims to harvest proprietary drone designs and manufacturing know-how. The campaign demonstrates persistent social-engineering tradecraft and reuse of modular loaders to keep the payloads polymorphic. Organizations in the aerospace and defense supply chain should assume targeted reconnaissance and prioritize hardening developer and engineering environments.
CORTEX Protocol Intelligence Assessment
Business Impact: High theft of UAV design and manufacturing IP risks military, commercial, and regulatory consequences. Technical Context: Modular trojans and token-based loaders facilitate stealthy multi-stage intrusions.
Strategic Intelligence Guidance
- Harden developer and CAD environments and restrict external document handling.
- Monitor for Graph API token misuse and anomalous cloud API activity.
- Apply EDR with behavioral detection tuned for modular loader activity.
- Share indicators with sector CERTs and supply-chain partners.
Threats
Targets
Intelligence Source: North Korean Hackers Lure Defense Engineers With Fake Jobs to Steal Drone Secrets | Oct 24, 2025