ESET’s cybersecurity team has recently identified a fresh wave of Operation DreamJob, a cyberespionage campaign attributed to the North Korea-linked Lazarus group. This latest activity has focused on several European defense firms, notably those engaged in the unmanned aerial vehicle (UAV) industry, hinting at a connection to North Korea’s intensified drone development initiatives.
This article explores the wider geopolitical ramifications of this campaign and outlines the sophisticated toolkit employed by the threat actors. The targeting of UAV technology developers by Lazarus aligns with recent intelligence on North Korea’s expanding drone capabilities.
The attackers’ primary objective appears to be the exfiltration of sensitive intellectual property and manufacturing expertise. Their initial infiltration method involved social engineering tactics, specifically compromising open-source projects hosted on GitHub, followed by deploying the ScoringMathTea remote access trojan (RAT). ESET Research classifies these incursions as a continuation of the Operation DreamJob series.
Operation DreamJob is a codename for Lazarus operations that predominantly exploit social engineering, leveraging counterfeit job offers for coveted or high-profile roles-the so-called “dream job” bait.
The primary targets are aerospace and defense companies, followed by firms in engineering, technology, and media sectors. The attackers’ main aim is cyberespionage-stealing confidential data, proprietary designs, and trade secrets-with financial gain as a secondary motive.
Beginning in late March 2025, ESET’s telemetry detected cyberattacks consistent with the Operation DreamJob modus operandi.
These real-world intrusions successively compromised three European defense-related companies, which, despite their varied operations, can be categorized as:
- a metal fabrication firm based in Southeastern Europe,
- an aircraft parts manufacturer located in Central Europe, and
- a defense contractor also situated in Central Europe.
The attackers deployed ScoringMathTea as their main payload-a RAT granting full remote control over infected systems.
First identified in late 2022 when its dropper surfaced on VirusTotal, ScoringMathTea has since been repeatedly used in Lazarus’ Operation DreamJob campaigns, making it their preferred malware for over three years.
This RAT communicates with command-and-control (C&C) servers hosted on compromised machines, often concealed within WordPress directories containing themes or plugins.
The targeted organizations produce various military hardware or components, many of which are currently utilized in Ukraine amid European military support efforts.
At least two of these companies are directly involved in UAV technology, with one specializing in critical hardware components and the other focusing on UAV software development.
Technical indicators found in the attackers’ droppers strongly support the theory that UAV-related espionage was the campaign’s central objective.
In response to these findings, Olufemi Ake, Managing Director of ESET Nigeria, highlighted the increasing cybersecurity risks facing the defense sector, especially in West Africa, given the region’s current security posture.
“West Africa presents an appealing target for cyber adversaries,” Ake remarked. “With growing digital interconnectivity, expanding defense collaborations, and its emergence as a tech innovation hub, individuals have become potential vectors for both direct cyberattacks and indirect breaches of global supply chains, particularly in sensitive security zones.”
Ake identified several sectors at elevated risk, including government bodies managing extensive citizen data, government-affiliated industries holding sensitive intellectual property such as engineering and technology firms, critical infrastructure operators in power, telecommunications, and finance, as well as defense, aerospace, and media organizations.
To counter these threats, he stressed the necessity of embedding cybersecurity awareness into employee onboarding and ongoing training programs.
He urged organizations to focus on educating personnel, deploying comprehensive endpoint protection, implementing sophisticated threat detection solutions, and maintaining regular system updates.
According to Ake, these measures are vital to building resilience and staying ahead of the rapidly evolving cyber threat landscape.
On a broader scale, Ake called on West African governments to elevate cybersecurity as a strategic priority.
“As digital transformation accelerates across the region, cyber resilience must be prioritized,” he emphasized. “Achieving this demands regional cooperation, continuous awareness initiatives, and sustained investment in cybersecurity capacity-building to protect national interests, foster economic development, and maintain public confidence in digital infrastructures.”
Related read: Lending startup Lidya ceases operations amid severe financial challenges