ESET researchers have recently observed a new instance of Operation DreamJob, a campaign that we track under the umbrella of North Korea-aligned Lazarus, in which several European companies active in the defense industry were targeted. Some of these are heavily involved in the unmanned aerial vehicle (UAV) sector, suggesting that the operation may be linked to North Korea’s current efforts to scale up its drone program.

This blogpost discusses the broader geopolitical implications of the campaign and provides a high-level overview of the toolset used by the attackers. Lazarus attacks against companies developing UAV technology align with recently reported developments in the North Korean drone program.

The suspected primary goal of the attackers was likely the theft of proprietary information and manufacturing know-how. Based on the social-engineering technique used for initial access, trojanizing open-source projects from GitHub, and the deployment of ScoringMathTea, ESET Research considers these attacks to be a new wave of the Operation DreamJob campaign.

Operation DreamJob is a codename for Lazarus campaigns that rely primarily on social engineering, specifically using fake job offers for prestigious or high-profile positions (the “dream job” lure).

Targets are predominantly in the aerospace and defence sectors, followed by engineering and technology companies, and the media and entertainment sector primary goal is cyberspionage, focusing on stealing sensitive data, intellectual property, and proprietary information, and the secondary goal is financial gain.

Starting in late March 2025, we observed in ESET telemetry cyberattacks reminiscent of Operation DreamJob campaigns.

The in-the-wild attacks successively targeted three European companies active in the defense sector. Although their activities are somewhat diverse, these entities can be described as:

·       a metal engineering company (Southeastern Europe),

·       a manufacturer of aircraft components (Central Europe), and

·       a defense company (Central Europe).

The main payload deployed to the targets was ScoringMathTea, a RAT that offers the attackers full control over the compromised machine.

Its first appearance dates to late 2022, when its dropper was uploaded to VirusTotal. Soon after, it was seen in the wild, and since then in multiple attacks attributed to Lazarus’ Operation DreamJob campaigns, which makes it the attacker’s payload of choice for already three years.

It uses compromised servers for C&C communication, with the server part usually stored under the WordPress folder containing design templates or plugins.

The three targeted organisations manufacture different types of military equipment (or parts thereof), many of which are currently deployed in Ukraine as a result of European countries’ military assistance.

At least two of these organisations are clearly involved in the development of UAV technology, with one manufacturing critical components and the other reportedly engaged in the design of UAV-related software.

Some technical artefacts observed in threat actors’ droppers significantly reinforce the hypothesis that precisely the UAV sector was their main cyberspionage goal.

Responding to these recent revelations of global cyberespionage campaigns by ESET, Olufemi Ake, Managing Director of ESET Nigeria, has raised concerns over the growing vulnerability in the defense ecosystem, going by the current state of security in the region, particularly West Africa.

“It is an attractive region for cyberattacks,” Ake stated. “With the increasing digital connectivity, expansion of defence partnerships, and emergence as a numerous tech innovation hub, individualsare now seen as potential entry points for both direct cyber threats and indirect access to global supply chains as it relates to the security situation in certain pocket areas.”

He identified several sectors currently at heightened risk, including government agencies or institutions with large data of citizens, key sectors in partnership with the government, holding sensitive intellectual properties, such as engineering and technology firms, critical infrastructure operators such as power, telecommunications, and finance, as well as the defence, aerospace, and media industries.

To mitigate these risks, Ake emphasised the importance of integrating cybersecurity awareness training into employee onboarding processes.

He urged organisations to prioritise the education of staff, the deployment of robust device protection, and the implementation of advanced threat detection systems, alongside regular system updates.

These, he noted, are essential strategies to maintain resilience and stay ahead of the evolving threat landscape.

In a broader appeal, Ake called on West African nations to treat cybersecurity as a strategic imperative at the helm of affairs.

“As countries across the region continue their digital transformation journeys, cyber resilience must be made a top priority,” he said. “Achieving this will require regional collaboration, sustained awareness campaigns, and long-term investment in cybersecurity capacity- building to safeguard national interests, economic growth, and public trust in digital systems.”

See also: Lending startup Lidya shuts down over ‘severe financial distress’