The North Korean state-sponsored Lazarus hacking group has launched a classy cyberespionage marketing campaign concentrating on European protection contractors concerned in uncrewed aerial car (UAV) manufacturing.
The assaults seem straight linked to North Korea’s efforts to speed up its home drone manufacturing capabilities via industrial espionage.
The focused organizations embody a metallic engineering agency, an plane element producer, and a specialised protection firm, with a minimum of two closely concerned in UAV expertise improvement and manufacturing.
The marketing campaign represents a brand new wave of Operation DreamJob, Lazarus’s signature social engineering operation that makes use of pretend job presents at prestigious corporations as bait.
Beginning in late March 2025, ESET recognized a number of assaults concentrating on three defense-sector corporations throughout Southeastern and Central Europe.
Victims obtain fraudulent job descriptions alongside trojanized PDF readers, which ship malware when executed. This misleading tactic has confirmed remarkably efficient regardless of widespread safety consciousness campaigns.
The attackers deployed ScoringMathTea, a classy distant entry trojan (RAT) that has served as Lazarus’s payload of selection for 3 years.
BinMergeLoader leverages the Microsoft Graph API and makes use of Microsoft API tokens for authentication.
First noticed in October 2022, ScoringMathTea helps roughly 40 instructions, enabling attackers to control information and processes, accumulate system info, set up TCP connections, and execute downloaded payloads.
One dropper pattern found by researchers contained the inner identify “DroneEXEHijackingLoader.dll,” offering a direct hyperlink to the marketing campaign’s concentrate on UAV expertise theft.
The malware leverages DLL side-loading strategies and trojanizes reputable open-source tasks from GitHub together with TightVNC Viewer, MuPDF reader, and plugins for Notepad++ and WinMerge to evade detection.
ESET researchers famous important evolution within the group’s techniques, together with new DLL proxying libraries and improved collection of open-source tasks for trojanization.
The malware makes use of compromised WordPress servers for command-and-control communication, sometimes storing server elements inside theme or plugin directories.
The timing and goal choice strongly counsel the marketing campaign goals to steal proprietary UAV designs, manufacturing processes, and industrial know-how.
North Korea has invested closely in home drone capabilities, with latest reviews indicating Pyongyang is creating low-cost assault UAVs for potential export to African and Center Jap markets. Russia is reportedly aiding North Korea in producing knockoff Iranian Shahed suicide drones.
North Korea’s flagship reconnaissance drone, the Saetbyol-4, seems as a carbon copy of the Northrop Grumman RQ-4 World Hawk, whereas the Saetbyol-9 fight drone intently resembles Normal Atomics’ MQ-9 Reaper.
These designs show North Korea’s reliance on reverse engineering and mental property theft to advance its navy capabilities.
At the very least one focused firm manufactures vital elements for UAV fashions at present deployed in Ukraine, which North Korean forces could have encountered on the frontline in Russia’s Kursk area, the place North Korean troops had been deployed in 2025.
Moreover, the corporate is concerned in superior single-rotor drone improvement unmanned helicopter expertise that Pyongyang is actively creating however has not efficiently militarized.
Attribution and Broader Context
ESET attributed the assaults to Lazarus with excessive confidence primarily based on a number of indicators: the social engineering methodology, trojanization of GitHub open-source tasks for DLL side-loading, deployment of ScoringMathTea, and concentrating on of European aerospace and protection sectors.
Lazarus, often known as HIDDEN COBRA, is a complicated persistent menace (APT) group linked to North Korean intelligence providers and lively since a minimum of 2009.
The group is answerable for high-profile incidents together with the 2016 Sony Footage Leisure hack, tens-of-millions-of-dollar cyberheists, the 2017 WannaCry ransomware outbreak, and ongoing assaults towards South Korean infrastructure.
Safety consultants advocate protection contractors implement rigorous worker coaching on social engineering techniques, significantly pretend recruitment lures.
Organizations ought to scrutinize job presents from sudden sources, confirm executable information earlier than opening, and deploy superior endpoint detection options able to figuring out trojanized reputable software program.
Community segmentation and privileged entry administration can restrict lateral motion if preliminary compromise happens.
IoCs
| SHA-1 | Filename | Detection | Description |
|---|---|---|---|
| 28978E987BC59E75CA22562924EAB93355CF679E | TSMSISrv.dll | Win64/NukeSped.TL | QuanPinLoader. |
| 5E5BBA521F0034D342CC26DB8BCFECE57DBD4616 | libmupdf.dll | Win64/NukeSped.TE | A loader disguised as a MuPDF rendering library v3.3.3. |
| B12EEB595FEEC2CFBF9A60E1CC21A14CE8873539 | radcui.dll | Win64/NukeSped.TO | A dropper disguised as a RemoteApp and Desktop Connection UI Element library. |
| 26AA2643B07C48CB6943150ADE541580279E8E0E | HideFirstLetter.DLL | Win64/NukeSped.TO | BinMergeLoader. |
| 0CB73D70FD4132A4FF5493DAA84AAE839F6329D5 | libpcre.dll | Win64/NukeSped.TP | A loader that may be a trojanized libpcre library. |
| 03D9B8F0FCF9173D2964CE7173D21E681DFA8DA4 | webservices.dll | Win64/NukeSped.RN | A dropper disguised as a Microsoft Internet Providers Runtime library. |
| 71D0DDB7C6CAC4BA2BDE679941FA92A31FBEC1FF | N/A | Win64/NukeSped.RN | ScoringMathTea. |
| 87B2DF764455164C6982BA9700F27EA34D3565DF | webservices.dll | Win64/NukeSped.RW | A dropper disguised as a Microsoft Internet Providers Runtime library. |
| E670C4275EC24D403E0D4DE7135CBCF1D54FF09C | N/A | Win64/NukeSped.RW | ScoringMathTea. |
| B6D8D8F5E0864F5DA788F96BE085ABECF3581CCE | radcui.dll | Win64/NukeSped.TF | A loader disguised as a RemoteApp and Desktop Connection UI Element library. |
| 5B85DD485FD516AA1F4412801897A40A9BE31837 | RCX1A07.tmp | Win64/NukeSped.TH | A loader of an encrypted ScoringMathTea. |
| B68C49841DC48E3672031795D85ED24F9F619782 | TSMSISrv.dll | Win64/NukeSped.TL | QuanPinLoader. |
| AC16B1BAEDE349E4824335E0993533BF5FC116B3 | cache.dat | Win64/NukeSped.QK | A decrypted ScoringMathTea RAT. |
| 2AA341B03FAC3054C57640122EA849BC0C2B6AF6 | msadomr.dll | Win64/NukeSped.SP | A loader disguised as a Microsoft DirectInput library. |
| CB7834BE7DE07F89352080654F7FEB574B42A2B8 | ComparePlus.dll | Win64/NukeSped.SJ | A trojanized Notepad++ plugin disguised as a Microsoft Internet Providers Runtime library. A dropper from VirusTotal. |
| 262B4ED6AC6A977135DECA5B0872B7D6D676083A | tzautosync.dat | Win64/NukeSped.RW | A decrypted ScoringMathTea, saved encrypted on the disk. |
| 086816466D9D9C12FCADA1C872B8C0FF0A5FC611 | N/A | Win64/NukeSped.RN | ScoringMathTea. |
| 2A2B20FDDD65BA28E7C57AC97A158C9F15A61B05 | cache.dat | Win64/NukeSped.SN | A downloader just like BinMergeLoader constructed as a trojanized NPPHexEditor plugin. |
Observe us on Google Information, LinkedIn, and X to Get Immediate Updates and Set GBH as a Most well-liked Supply in Google.
