Cyber Espionage Campaign by North Korean Hackers Targets UAV Sector
In a concerning escalation of cyber warfare, the Lazarus APT group—backed by the North Korean state—has initiated a comprehensive cyberespionage campaign that specifically targets European enterprises engaged in the development of unmanned aerial vehicles (UAVs).
Beginning in late March 2025, these cyber adversaries infiltrated three distinct defense organizations in Central and Southeastern Europe, employing sophisticated malware to illicitly acquire proprietary UAV technology.
This endeavor, dubbed Operation DreamJob, utilized cunning social engineering tactics via counterfeit job offers to establish initial access.
The focus of the attacks has been sharply directed at firms that produce drone components and develop UAV software solutions, in alignment with North Korea’s ambition to bolster its drone capabilities.
Cybersecurity researchers uncovered systems compromised by this operation containing insidious droppers, notably with the internal DLL designation DroneEXEHijackingLoader.dll. This finding substantiates the campaign’s specific intent to pilfer drone-related technologies.
Targeted organizations were delivered falsified job postings that included trojanized PDF readers, triggering multi-stage infection sequences.
Analysts from Welivesecurity have identified the principal payload as ScoringMathTea, a remote access trojan that has served as the flagship malware for Lazarus since late 2022.
This RAT (remote access trojan) offers extensive control over infiltrated systems through around 40 discrete commands, thereby facilitating file manipulation, process oversight, and data exfiltration.
ScoringMathTea establishes communication with the command-and-control infrastructure via compromised servers nestled within WordPress directories.
The C&C traffic of this malware incorporates robust encryption processes, deploying the IDEA algorithm followed by base64 encoding. Examples of Operation DreamJob’s execution chains yielding BinMergeLoader and ScoringMathTea.
Network examinations unearthed connections to compromised domains such as coralsunmarine[.]com, mnmathleague[.]org, and spaincaramoon[.]com.
Innovation in Infection Mechanisms and Evasion Techniques
The Lazarus group has showcased remarkable technical expertise by embedding malicious loading routines within authentic open-source projects retrieved from GitHub.
Attackers have trojanized various applications, including TightVNC Viewer, MuPDF Reader, and plugins for WinMerge and Notepad++. This strategy confers dual benefits: the malware masquerades as trustworthy applications while executing nefarious payloads.
The infection sequence adeptly employs DLL side-loading and proxying strategies. Legitimate executables such as wksprt.exe and wkspbroker.exe side-load malicious libraries, including webservices.dll and radcui.dll.
These compromised DLLs feature dual export sets: one for proxy function to maintain the application’s behavior and the other for loading malicious code that activates subsequent infection stages.
The malware upholds stringent encryption protocols across its infection lifecycle. Initial droppers retrieve encrypted payloads from the file system or registry, subsequently decrypting them utilizing AES-128 or ChaCha20 algorithms, before loading them directly into memory.
This method leverages the MemoryModule library for reflective DLL injection, enabling execution entirely within memory, thereby preventing the writing of decrypted elements to disk.
Source link: Cybersecuritynews.com.
