The North Korean state-sponsored Lazarus hacking group has launched a complicated cyberespionage marketing campaign concentrating on European protection contractors concerned in uncrewed aerial car (UAV) manufacturing.
The assaults seem instantly linked to North Korea’s efforts to speed up its home drone manufacturing capabilities by industrial espionage.
The focused organizations embrace a metallic engineering agency, an plane part producer, and a specialised protection firm, with a minimum of two closely concerned in UAV expertise improvement and manufacturing.
The marketing campaign represents a brand new wave of Operation DreamJob, Lazarus’s signature social engineering operation that makes use of faux job provides at prestigious corporations as bait.
Beginning in late March 2025, ESET recognized a number of assaults concentrating on three defense-sector corporations throughout Southeastern and Central Europe.
Victims obtain fraudulent job descriptions alongside trojanized PDF readers, which ship malware when executed. This misleading tactic has confirmed remarkably efficient regardless of widespread safety consciousness campaigns.
The attackers deployed ScoringMathTea, a complicated distant entry trojan (RAT) that has served as Lazarus’s payload of selection for 3 years.
BinMergeLoader leverages the Microsoft Graph API and makes use of Microsoft API tokens for authentication.
First noticed in October 2022, ScoringMathTea helps roughly 40 instructions, enabling attackers to control recordsdata and processes, accumulate system data, set up TCP connections, and execute downloaded payloads.
One dropper pattern found by researchers contained the inner identify “DroneEXEHijackingLoader.dll,” offering a direct hyperlink to the marketing campaign’s give attention to UAV expertise theft.
The malware leverages DLL side-loading strategies and trojanizes reliable open-source tasks from GitHub together with TightVNC Viewer, MuPDF reader, and plugins for Notepad++ and WinMerge to evade detection.
ESET researchers famous vital evolution within the group’s techniques, together with new DLL proxying libraries and improved collection of open-source tasks for trojanization.
The malware makes use of compromised WordPress servers for command-and-control communication, usually storing server parts inside theme or plugin directories.
The timing and goal choice strongly counsel the marketing campaign goals to steal proprietary UAV designs, manufacturing processes, and industrial know-how.
North Korea has invested closely in home drone capabilities, with current experiences indicating Pyongyang is creating low-cost assault UAVs for potential export to African and Center Jap markets. Russia is reportedly helping North Korea in producing knockoff Iranian Shahed suicide drones.
North Korea’s flagship reconnaissance drone, the Saetbyol-4, seems as a carbon copy of the Northrop Grumman RQ-4 International Hawk, whereas the Saetbyol-9 fight drone carefully resembles Basic Atomics’ MQ-9 Reaper.
These designs display North Korea’s reliance on reverse engineering and mental property theft to advance its army capabilities.
At the very least one focused firm manufactures vital parts for UAV fashions presently deployed in Ukraine, which North Korean forces could have encountered on the frontline in Russia’s Kursk area, the place North Korean troops had been deployed in 2025.
Moreover, the corporate is concerned in superior single-rotor drone improvement unmanned helicopter expertise that Pyongyang is actively creating however has not efficiently militarized.
Attribution and Broader Context
ESET attributed the assaults to Lazarus with excessive confidence based mostly on a number of indicators: the social engineering methodology, trojanization of GitHub open-source tasks for DLL side-loading, deployment of ScoringMathTea, and concentrating on of European aerospace and protection sectors.
Lazarus, also referred to as HIDDEN COBRA, is a complicated persistent menace (APT) group linked to North Korean intelligence providers and energetic since a minimum of 2009.
The group is accountable for high-profile incidents together with the 2016 Sony Photos Leisure hack, tens-of-millions-of-dollar cyberheists, the 2017 WannaCry ransomware outbreak, and ongoing assaults in opposition to South Korean infrastructure.
Safety consultants suggest protection contractors implement rigorous worker coaching on social engineering techniques, significantly faux recruitment lures.
Organizations ought to scrutinize job provides from surprising sources, confirm executable recordsdata earlier than opening, and deploy superior endpoint detection options able to figuring out trojanized reliable software program.
Community segmentation and privileged entry administration can restrict lateral motion if preliminary compromise happens.
IoCs
| SHA-1 | Filename | Detection | Description |
|---|---|---|---|
| 28978E987BC59E75CA22562924EAB93355CF679E | TSMSISrv.dll | Win64/NukeSped.TL | QuanPinLoader. |
| 5E5BBA521F0034D342CC26DB8BCFECE57DBD4616 | libmupdf.dll | Win64/NukeSped.TE | A loader disguised as a MuPDF rendering library v3.3.3. |
| B12EEB595FEEC2CFBF9A60E1CC21A14CE8873539 | radcui.dll | Win64/NukeSped.TO | A dropper disguised as a RemoteApp and Desktop Connection UI Part library. |
| 26AA2643B07C48CB6943150ADE541580279E8E0E | HideFirstLetter.DLL | Win64/NukeSped.TO | BinMergeLoader. |
| 0CB73D70FD4132A4FF5493DAA84AAE839F6329D5 | libpcre.dll | Win64/NukeSped.TP | A loader that may be a trojanized libpcre library. |
| 03D9B8F0FCF9173D2964CE7173D21E681DFA8DA4 | webservices.dll | Win64/NukeSped.RN | A dropper disguised as a Microsoft Net Providers Runtime library. |
| 71D0DDB7C6CAC4BA2BDE679941FA92A31FBEC1FF | N/A | Win64/NukeSped.RN | ScoringMathTea. |
| 87B2DF764455164C6982BA9700F27EA34D3565DF | webservices.dll | Win64/NukeSped.RW | A dropper disguised as a Microsoft Net Providers Runtime library. |
| E670C4275EC24D403E0D4DE7135CBCF1D54FF09C | N/A | Win64/NukeSped.RW | ScoringMathTea. |
| B6D8D8F5E0864F5DA788F96BE085ABECF3581CCE | radcui.dll | Win64/NukeSped.TF | A loader disguised as a RemoteApp and Desktop Connection UI Part library. |
| 5B85DD485FD516AA1F4412801897A40A9BE31837 | RCX1A07.tmp | Win64/NukeSped.TH | A loader of an encrypted ScoringMathTea. |
| B68C49841DC48E3672031795D85ED24F9F619782 | TSMSISrv.dll | Win64/NukeSped.TL | QuanPinLoader. |
| AC16B1BAEDE349E4824335E0993533BF5FC116B3 | cache.dat | Win64/NukeSped.QK | A decrypted ScoringMathTea RAT. |
| 2AA341B03FAC3054C57640122EA849BC0C2B6AF6 | msadomr.dll | Win64/NukeSped.SP | A loader disguised as a Microsoft DirectInput library. |
| CB7834BE7DE07F89352080654F7FEB574B42A2B8 | ComparePlus.dll | Win64/NukeSped.SJ | A trojanized Notepad++ plugin disguised as a Microsoft Net Providers Runtime library. A dropper from VirusTotal. |
| 262B4ED6AC6A977135DECA5B0872B7D6D676083A | tzautosync.dat | Win64/NukeSped.RW | A decrypted ScoringMathTea, saved encrypted on the disk. |
| 086816466D9D9C12FCADA1C872B8C0FF0A5FC611 | N/A | Win64/NukeSped.RN | ScoringMathTea. |
| 2A2B20FDDD65BA28E7C57AC97A158C9F15A61B05 | cache.dat | Win64/NukeSped.SN | A downloader much like BinMergeLoader constructed as a trojanized NPPHexEditor plugin. |
Observe us on Google Information, LinkedIn, and X to Get Immediate Updates and Set GBH as a Most popular Supply in Google.
