Cybersecurity firm ESET Research has uncovered a new wave of cyberespionage attacks linked to Operation DreamJob, a campaign attributed to the North Korea-aligned Lazarus Group, targeting European companies in the defense industry, particularly those involved in unmanned aerial vehicle (UAV) technology.
According to ESET, the campaign appears to be part of North Korea’s broader effort to advance its drone program by stealing proprietary designs, engineering data, and manufacturing know-how from foreign defense contractors.
“Some of the targeted companies are deeply involved in the UAV sector, suggesting that this operation may be linked to North Korea’s current efforts to scale up its drone capabilities,” ESET said in its latest analysis.
Targets and Techniques
Beginning in late March 2025, ESET telemetry detected a string of cyberattacks against three European defense companies, a metal engineering firm in Southeastern Europe, a manufacturer of aircraft components in Central Europe, and a defense company also based in Central Europe.
Investigations revealed that the attackers relied on social engineering tactics typical of the Operation DreamJob campaign, including fake job offers and trojanized open-source projects hosted on GitHub.
Once access was gained, the attackers deployed a remote access trojan (RAT) known as ScoringMathTea, granting them full control of compromised machines.
ESET noted that ScoringMathTea first appeared in late 2022, when its dropper was uploaded to VirusTotal, and has since been repeatedly observed in multiple Lazarus-linked intrusions. The malware communicates with command-and-control servers hosted on compromised WordPress websites, often hidden within plugin or design template folders.
Lazarus’ Espionage Goals
The Lazarus Group, one of the most active and sophisticated state-sponsored threat actors associated with North Korea, has a history of cyberespionage and financially motivated attacks.
Under the Operation DreamJob codename, Lazarus typically targets professionals in the aerospace, defense, engineering, and technology sectors, using enticing job offers to lure victims into installing malware.
While the group’s primary goal remains cyberespionage, stealing sensitive and proprietary data, the secondary objective often includes financial gain through digital theft or cryptocurrency-related exploits.
ESET’s researchers believe the most recent campaign demonstrates a renewed focus on the UAV sector, as two of the targeted firms are directly engaged in drone component manufacturing and UAV software development.
“Technical artifacts in the attackers’ droppers reinforce the hypothesis that the UAV sector was the main espionage goal,” ESET stated.
Geopolitical Implications
The findings add to growing evidence that North Korea’s cyber operations are increasingly intertwined with its military modernization programs, particularly in the drone and missile domains.
With European defense firms playing a key role in supplying military technology and equipment to Ukraine, experts warn that such cyberattacks could have strategic and geopolitical consequences.
ESET’s report offers a high-level overview of the Lazarus Group’s latest tools and methods while calling attention to the need for stronger cyber defense collaboration across the defense and aerospace sectors.
An extract of ESET’s full “Network API 2025–2030 Report” is available for free download on the company’s website.
More about Operation DreamJob
Operation DreamJob is the codename for an ongoing series of Lazarus campaigns that use fake job recruitment schemes to compromise targets.
These attacks often begin with LinkedIn or email outreach, delivering malicious documents or project files disguised as legitimate opportunities.
The Lazarus Group, believed to operate under the direction of the North Korean government, has been linked to numerous cyberattacks worldwide, including the Sony Pictures hack (2014), the WannaCry ransomware outbreak (2017), and several cryptocurrency heists targeting global exchanges.
Responding to these recent revelations of global cyberespionage campaigns by ESET, Olufemi Ake, managing director of ESET Nigeria, has raised concerns over the growing vulnerability in the defense ecosystem, going by the current state of security in the region, particularly West Africa.
“It is an attractive region for cyberattacks,” Ake stated. “With the increasing digital connectivity, expansion of defence partnerships, and emergence as a numerous tech innovation hub, individuals are now seen as potential entry points for both direct cyber threats and indirect access to global supply chains as it relates to the security situation in certain pocket areas.”
He identified several sectors currently at heightened risk, including government agencies or institutions with large data of citizens, key sectors in partnership with the government, holding sensitive intellectual properties, such as engineering and technology firms, critical infrastructure operators such as power, telecommunications, and finance, as well as the defence, aerospace, and media industries.
To mitigate these risks, Ake emphasised the importance of integrating cybersecurity awareness training into employee onboarding processes.
He urged organisations to prioritise the education of staff, the deployment of robust device protection, and the implementation of advanced threat detection systems, alongside regular system updates.
These, he noted, are essential strategies to maintain resilience and stay ahead of the evolving threat landscape.
In a broader appeal, Ake called on West African nations to treat cybersecurity as a strategic imperative at the helm of affairs.
“As countries across the region continue their digital transformation journeys, cyber resilience must be made a top priority,” he said. “Achieving this will require regional collaboration, sustained awareness campaigns, and long-term investment in cybersecurity capacity- building to safeguard national interests, economic growth, and public trust in digital systems.”
