Lazarus targets the UAV sector

Overview

Beginning in late March 2025, we noticed in ESET telemetry cyberattacks harking back to Operation DreamJob campaigns. The in-the-wild assaults successively focused three European corporations lively within the protection sector. Though their actions are considerably various, these entities might be described as:

• a steel engineering firm (Southeastern Europe),
• a producer of plane elements (Central Europe), and
• a protection firm (Central Europe).

All circumstances concerned droppers which have the fascinating inside DLL title, DroneEXEHijackingLoader.dll, which led us down the drone phase rabbit gap. Additionally, preliminary entry was probably achieved through social engineering – an Operation DreamJob specialty. The dominant theme is a profitable however fake job supply with a aspect of malware: the goal receives a decoy doc with a job description and a trojanized PDF reader to open it.

The principle payload deployed to the targets was ScoringMathTea, a RAT that provides the attackers full management over the compromised machine. Its first look dates to late 2022, when its dropper was uploaded to VirusTotal. Quickly after, it was seen within the wild, and since then in a number of assaults attributed to Lazarus’ Operation DreamJob campaigns, which makes it the attacker’s payload of alternative for already three years. It makes use of compromised servers for C&C communication, with the server half normally saved beneath the WordPress folder containing design templates or plugins.

In abstract, we attribute this exercise with a excessive degree of confidence to Lazarus, notably to its campaigns associated to Operation DreamJob, based mostly on the next:

• Preliminary entry was obtained by social engineering, convincing the goal to execute malware disguised as a job description, as a way to achieve a hiring course of.
• Trojanizing open-source tasks after which crafting their exports to suit the DLL side-loading appears to be an method particular to Operation DreamJob.
• The flagship payload for later levels, ScoringMathTea, was utilized in a number of related assaults up to now.
• The focused sectors, positioned in Europe, align with the targets of the earlier cases of Operation DreamJob (aerospace, protection, engineering).

Geopolitical context

The three focused organizations manufacture several types of navy tools (or elements thereof), lots of that are at present deployed in Ukraine because of European international locations’ navy help. On the time of Operation DreamJob’s noticed exercise, North Korean troopers had been deployed in Russia, reportedly to assist Moscow repel Ukraine’s offensive within the Kursk oblast. It’s thus attainable that Operation DreamJob was excited about amassing delicate data on some Western-made weapons methods at present employed within the Russia-Ukraine conflict.

Extra typically, these entities are concerned within the manufacturing of sorts of materiel that North Korea additionally manufactures domestically, and for which it may be hoping to good its personal designs and processes. In any case, there isn’t a indication that the focused corporations provide navy tools to the South Korean armed forces – which might have been one other factor explaining Operation DreamJob’s curiosity in these corporations. Apparently, nonetheless, at the very least two of those organizations are clearly concerned within the growth of UAV know-how, with one manufacturing important drone elements and the opposite reportedly engaged within the design of UAV-related software program.

The curiosity in UAV-related know-how is notable, because it echoes current media studies indicating that Pyongyang is investing closely in home drone manufacturing capabilities. Though this endeavor might be traced again to greater than a decade in the past, many observers posit that North Korea’s current expertise of recent warfare within the Russia-Ukraine conflict has solely bolstered Pyongyang’s decision with regard to its drone program. The North Korean regime is now reportedly receiving help from Russia to supply its personal model of the Iranian-made Shahed suicide drone and can also be apparently engaged on low-cost assault UAVs that could possibly be exported to African or Center Japanese international locations.

Assessing the “drone connection”

If one factor is evident, it’s that North Korea has relied closely on reverse engineering and mental property theft to develop its home UAV capabilities. As current open-source studies illustrate, North Korea’s present flagship reconnaissance drone, the Saetbyol‑4, seems like a carbon copy of the Northrop Grumman RQ‑4 International Hawk, whereas its multipurpose fight drone, the Saetbyol‑9, bears a putting resemblance to Normal Atomics’ MQ‑9 Reaper. The truth that each designations replicate the quantity related to their US equal would possibly even be a not-so-subtle nod to that impact. Though these aircrafts’ efficiency could effectively differ from these of their US counterparts, there may be little doubt that the latter served as a powerful inspiration for North Korea’s designs.

That is most likely the place cybercapabilities enter the fray. Whereas different intelligence sources had been probably mobilized by Pyongyang to assist copy Western UAVs, there are indications that cyberespionage could have performed a job. Lately, a number of campaigns affecting the aerospace sector (together with UAV know-how particularly) have been attributed to North Korea-aligned APT teams, with Operation North Star (a marketing campaign presenting some overlap with Operation DreamJob) being certainly one of them. In 2020, ESET researchers documented the same marketing campaign, which we then named Operation In(ter)ception and later attributed to Lazarus with excessive confidence. As a number of teams associated to Lazarus have been formally linked to North Korean intelligence providers by US authorities and others, these precedents strongly recommend that cyberespionage is probably going one of many instruments leveraged by the regime for reverse engineering Western UAVs – and that teams working beneath the broad Lazarus umbrella are taking an lively half on this effort.

On this context, we consider that it’s probably that Operation DreamJob was – at the very least partially – aimed toward stealing proprietary data, and manufacturing know-how, relating to UAVs. The Drone point out noticed in one of many droppers considerably reinforces this speculation.

To be clear, we are able to solely hypothesize as to the particular sort of data that Operation DreamJob was after. Nonetheless, we’ve got discovered proof that one of many focused entities is concerned within the manufacturing of at the very least two UAV fashions which can be at present employed in Ukraine, and which North Korea could have encountered on the frontline. This entity can also be concerned within the provide chain of superior single-rotor drones (i.e., unmanned helicopters), a sort of plane that Pyongyang is actively growing however has not proved in a position to militarize to this point. These could also be among the potential motivations behind Operation DreamJob’s noticed actions. Extra typically, as North Korea is reportedly within the technique of constructing a manufacturing facility for mass-producing UAVs, it may also be searching for privileged data relating to UAV-related industrial processes and manufacturing strategies.

Toolset

Studies from Google’s Mandiant in September 2024 and from Kaspersky in December 2024 describe instruments utilized by Lazarus in its Operation DreamJob in 2024. On this part, we point out the instruments to which the group shifted in Operation DreamJob in 2025. Primarily based on their place within the execution chain, we distinguish two sorts of instruments: early levels that consist of varied droppers, loaders, and downloaders; and the principle levels that characterize payloads like RATs and sophisticated downloaders that give the attackers ample management over the compromised machine.

Apart from the in-the-wild circumstances seen in ESET telemetry, the exercise of the attackers additionally manifested as VirusTotal submissions occurring on the similar time. A trojanized MuPDF reader, QuanPinLoader, a loader disguised as a Microsoft DirectInput library (dinput.dll), and a variant of ScoringMathTea had been submitted from Italy in April and June 2025; BinMergeLoader was submitted in August 2025 from Spain.

Droppers, loaders, and downloaders

Usually, Lazarus attackers are extremely lively and deploy their backdoors in opposition to a number of targets. This frequent use exposes these instruments and permits them to grow to be detected. As a countermeasure, the group’s instruments are preceded within the execution chain by a sequence of droppers, loaders, and easy downloaders. Sometimes, the loaders used search for the subsequent stage on the file system or within the registry, decrypt it utilizing AES-128 or ChaCha20, and manually load it in reminiscence through the routines applied within the MemoryModule library; a dropper is mainly a loader however accommodates the subsequent stage embedded in its physique. The principle payload, ScoringMathTea in all circumstances noticed, isn’t current on the disk in unencrypted kind. Instance execution chains are seen in Determine 1. In some circumstances, the attackers additionally deployed a posh downloader that we name BinMergeLoader, which is analogous to the MISTPEN malware reported by Google’s Mandiant. BinMergeLoader leverages the Microsoft Graph API and makes use of Microsoft API tokens for authentication.

The attackers determined to include their malicious loading routines into open-source tasks accessible on GitHub. The selection of challenge varies from one assault to a different. In 2025, we noticed the next malware:

• Trojanized TightVNC Viewer and MuPDF reader that function downloaders.
• A trojanized end-of-life libpcre v8.45 library for Home windows, serving as a loader.
• A loader that has the Mandarin Chinese language image 样 (yàng within the Pinyin transliteration) as an icon within the sources. It additionally accommodates the string SampleIMESimplifiedQuanPin.txt, which means that it’s most likely based mostly on the open-source challenge Pattern IME, a TSF-based enter methodology editor demo. We name this QuanPinLoader.
• Loaders constructed from the open-source challenge DirectX Wrappers.
• Downloaders constructed from open-source plugins for WinMerge (DisplayBinaryFiles and HideFirstLetter). We name the 2 trojanized plugins BinMergeLoader.
• Trojanized open-source plugins for Notepad++, particularly a downloader similar to BinMergeLoader (NPPHexEditor v10.0.0 by MacKenzie Cumings) and a dropper of an unknown payload (ComparePlus v1.1.0 by Pavel Nedev). The latter binary accommodates the PDB path E:WorkTroy안정화wksprtcomparePlus-masterNotepad++pluginsComparePlusComparePlus.pdb, which suggests the origin of the challenge (comparePlus-master) and its supposed official father or mother course of (wksprt). Additionally, 안정화 means steady in Korean, which signifies that the code was probably correctly examined and dependable.

One of many droppers (SHA-1: 03D9B8F0FCF9173D2964CE7173D21E681DFA8DA4) has the inner DLL title DroneEXEHijackingLoader.dll and is disguised as a Home windows Internet Companies Runtime library as a way to be efficiently side-loaded; see Determine 2. We consider that the substring drone is there to designate each a UAV machine and the attacker’s inside marketing campaign title.

Desk 1 reveals a typical mixture of official executable information (EXEs) and malicious dynamic hyperlink libraries (DLLs) delivered to the sufferer’s system (that is analogous to Desk 1 in our blogpost on an assault in opposition to a Spanish aerospace firm in 2023). The DLLs within the third column are both trojanized open-source functions (see the fourth column for the underlying challenge) or a standalone malware binary with out such benign context, with a official EXE side-loading it. The placement folder (the primary column) is uncommon for such official functions. Malicious DLLs use the DLL proxying method, so as to not break the execution. Due to this fact, when a DLL can also be a trojanized challenge, it accommodates two heterogeneous sorts of exports: first the set of features required for DLL proxying, and second the set of features exported from the open-source challenge.

Desk 1. Abstract of binaries concerned within the assault

* Denotes a VirusTotal submission and its probably father or mother course of. The payload is unknown, since an extended command-line argument is required for its decryption from the trojanized challenge.

ScoringMathTea

ScoringMathTea is a posh RAT that helps round 40 instructions. Its title is a mix of the basis ScoringMath, taken from a C&C area utilized by an early variant (www.scoringmnmathleague[.]org), and the suffix -Tea, which is ESET Analysis’s designation for a North Korea-aligned payload. It was first publicly documented by Kaspersky in April 2023 and later by Microsoft in October 2023 beneath the title ForestTiger, which follows the inner DLL title or the PDB data present in some samples.

Its first look might be traced again to VirusTotal submissions from Portugal and Germany in October 2022, the place its dropper posed as an Airbus-themed job supply lure. The applied performance is the same old required by Lazarus: manipulation of information and processes, exchanging the configuration, amassing the sufferer’s system information, opening a TCP connection, and executing native instructions or new payloads downloaded from the C&C server. The present model doesn’t present any dramatic adjustments in its function set or its command parsing. So the payload might be receiving steady, somewhat minor enhancements and bug fixes.

Concerning ESET telemetry, ScoringMathTea was seen in assaults in opposition to an Indian know-how firm in January 2023, a Polish protection firm in March 2023, a British industrial automation firm in October 2023, and an Italian aerospace firm in September 2025. Evidently it is without doubt one of the flagship payloads for Operation DreamJob campaigns, despite the fact that Lazarus has extra refined payloads like LightlessCan at its disposal.

Conclusion

For practically three years, Lazarus has maintained a constant modus operandi, deploying its most well-liked fundamental payload, ScoringMathTea, and utilizing related strategies to trojanize open-source functions. This predictable, but efficient, technique delivers ample polymorphism to evade safety detection, even whether it is inadequate to masks the group’s identification and obscure the attribution course of. Additionally, even with widespread media protection of Operation DreamJob and its use of social engineering, the extent of worker consciousness in delicate sectors – know-how, engineering, and protection – is inadequate to deal with the potential dangers of a suspicious hiring course of.

Though different hypotheses are conceivable, there are good causes to suppose that this Operation DreamJob marketing campaign was in no small half supposed to gather delicate data on UAV-related know-how. Contemplating North Korea’s present efforts at scaling up its drone trade and arsenal, it appears probably that different organizations lively on this sector will whet the urge for food of North Korea-aligned menace actors within the close to future.

For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com. 

ESET Analysis gives personal APT intelligence studies and information feeds. For any inquiries about this service, go to the ESET Menace Intelligence web page.

IoCs

A complete record of indicators of compromise and samples might be present in our GitHub repository.

Information

SHA-1	Filename	Detection	Description
28978E987BC59E75CA22562924EAB93355CF679E	TSMSISrv.dll	Win64/NukeSped.TL	QuanPinLoader.
5E5BBA521F0034D342CC26DB8BCFECE57DBD4616	libmupdf.dll	Win64/NukeSped.TE	A loader disguised as a MuPDF rendering library v3.3.3.
B12EEB595FEEC2CFBF9A60E1CC21A14CE8873539	radcui.dll	Win64/NukeSped.TO	A dropper disguised as a RemoteApp and Desktop Connection UI Element library.
26AA2643B07C48CB6943150ADE541580279E8E0E	HideFirstLetter.DLL	Win64/NukeSped.TO	BinMergeLoader.
0CB73D70FD4132A4FF5493DAA84AAE839F6329D5	libpcre.dll	Win64/NukeSped.TP	A loader that could be a trojanized libpcre library.
03D9B8F0FCF9173D2964CE7173D21E681DFA8DA4	webservices.dll	Win64/NukeSped.RN	A dropper disguised as a Microsoft Internet Companies Runtime library.
71D0DDB7C6CAC4BA2BDE679941FA92A31FBEC1FF	N/A	Win64/NukeSped.RN	ScoringMathTea.
87B2DF764455164C6982BA9700F27EA34D3565DF	webservices.dll	Win64/NukeSped.RW	A dropper disguised as a Microsoft Internet Companies Runtime library.
E670C4275EC24D403E0D4DE7135CBCF1D54FF09C	N/A	Win64/NukeSped.RW	ScoringMathTea.
B6D8D8F5E0864F5DA788F96BE085ABECF3581CCE	radcui.dll	Win64/NukeSped.TF	A loader disguised as a RemoteApp and Desktop Connection UI Element library.
5B85DD485FD516AA1F4412801897A40A9BE31837	RCX1A07.tmp	Win64/NukeSped.TH	A loader of an encrypted ScoringMathTea.
B68C49841DC48E3672031795D85ED24F9F619782	TSMSISrv.dll	Win64/NukeSped.TL	QuanPinLoader.
AC16B1BAEDE349E4824335E0993533BF5FC116B3	cache.dat	Win64/NukeSped.QK	A decrypted ScoringMathTea RAT.
2AA341B03FAC3054C57640122EA849BC0C2B6AF6	msadomr.dll	Win64/NukeSped.SP	A loader disguised as a Microsoft DirectInput library.
CB7834BE7DE07F89352080654F7FEB574B42A2B8	ComparePlus.dll	Win64/NukeSped.SJ	A trojanized Notepad++ plugin disguised as a Microsoft Internet Companies Runtime library. A dropper from VirusTotal.
262B4ED6AC6A977135DECA5B0872B7D6D676083A	tzautosync.dat	Win64/NukeSped.RW	A decrypted ScoringMathTea, saved encrypted on the disk.
086816466D9D9C12FCADA1C872B8C0FF0A5FC611	N/A	Win64/NukeSped.RN	ScoringMathTea.
2A2B20FDDD65BA28E7C57AC97A158C9F15A61B05	cache.dat	Win64/NukeSped.SN	A downloader just like BinMergeLoader constructed as a trojanized NPPHexEditor plugin.

Community

MITRE ATT&CK strategies

This desk was constructed utilizing model 17 of the MITRE ATT&CK framework.