Threat actors with ties to North Korea are believed to be responsible for a new wave of attacks targeting European companies operating in the defense industry as part of a long-running campaign known as North Korea. Operation Dream Job.
“Some of these[companies]are heavily involved in the unmanned aerial vehicle (UAV) field, suggesting that this operation may be related to North Korea’s current efforts to expand its drone program,” ESET security researchers Peter Kalnai and Alexis Lappin said in a report shared with Hacker News.
The ultimate goal of this campaign is assessed to be to steal sensitive information and manufacturing know-how using malware families such as ScoringMathTea and MISTPEN. A Slovak cybersecurity company said it observed a campaign starting in late March 2025.
Targeted companies include a metal engineering company in Southeastern Europe, an aircraft parts manufacturer in Central Europe, and a defense company in Central Europe.
ScoringMathTea (also known as ForestTiger) was previously observed by ESET in early 2023 in connection with cyberattacks targeting an Indian technology company and a Polish defense contractor, while MISTPEN was documented by Google Mandiant in September 2024 as part of an intrusion targeting companies in the energy and aerospace sectors. ScoringMathTea first appeared back in October 2022.
First exposed by Israeli cybersecurity firm ClearSky in 2020, Operation Dream Job is a sustained attack campaign launched by a prolific North Korean hacker group called Lazarus Group, which has also been tracked as APT-Q-1, Black Artemis, Diamond Sleet (formerly Zinc), Hidden Cobra, TEMP.Hermit, and UNC2970. The hacker group is believed to have been active since at least 2009.
In these attacks, attackers use social engineering lures similar to infection interviews to approach potential targets with high-paying job opportunities and trick them into infecting their systems with malware. This campaign also shows overlap with clusters tracked as DeathNote, NukeSped, Operation In(interception), and Operation North Star.
ESET researchers said: “The main theme is lucrative but fake job offers with malware aspects. Targets receive a decoy document with a job description and a trojanized PDF reader to open it.”
This attack chain leads to binary execution. This binary is responsible for sideloading a malicious DLL that drops ScoringMathTea and an advanced downloader codenamed BinMergeLoader that functions similarly to MISTPEN and uses Microsoft Graph APIs and tokens to retrieve additional payloads.
An alternative infection sequence is known to utilize an unknown dropper to deliver two intermediate payloads, with the first loading the latter. The end result is the deployment of ScoringMathTea, an advanced RAT that supports approximately 40 commands for complete control over compromised machines.
“For nearly three years, Lazarus has maintained a consistent modus operandi, deploying its main recommended payload, ScoringMathTea, and using similar techniques to Trojanize open source applications,” ESET said. “This predictable yet effective strategy provides enough polymorphism to evade security detection, even if it is insufficient to hide group identity and obfuscate the attribution process.”
