North Korea’s Lazarus Group Strikes Again: Drone Espionage Targets European Defense Firms

Silent War in the Sky: Inside Operation DreamJob’s New Drone-Focused Campaign

In early 2025, a new wave of sophisticated cyberattacks swept across Europe’s defense industry, quietly infiltrating companies tied to drone technology. Cybersecurity researchers from ESET have traced these intrusions back to the infamous Lazarus Group, a North Korea-aligned hacking organization long accused of cyber-espionage operations worldwide. This latest campaign—part of the ongoing Operation DreamJob—reveals how Pyongyang’s digital spies are sharpening their tactics to steal cutting-edge military and aerospace secrets.

The Lazarus Group has been targeting European defense and aerospace firms with a blend of technical precision and psychological manipulation. Using fake job offers as bait, hackers tricked employees from three key companies—a metal engineering firm, an aircraft components maker, and a major defense contractor—into downloading malware disguised as harmless PDF files. Once opened, the malware, known as ScoringMathTea, granted remote access to the attackers, effectively handing them the digital keys to highly classified systems.

ESET’s telemetry data uncovered how Lazarus camouflaged its tools within legitimate open-source software like TightVNC Viewer, MuPDF, and Notepad++ plugins. Among the most revealing discoveries was a malicious file named DroneEXEHijackingLoader.dll, pointing directly to the hackers’ interest in unmanned aerial vehicle (UAV) technology. The connection was chillingly clear—two of the targeted firms are heavily involved in drone production, software, and defense systems.

This timing is far from coincidence. Reports suggest that North Korean soldiers are providing operational support to Russian forces in Ukraine. That overlap fuels speculation that Lazarus’s campaign may be designed to gather intelligence on Western-made drones, including tactical and reconnaissance models currently used in combat zones. Such data could give North Korea a technical boost in developing UAVs that mirror the capabilities of the U.S. RQ-4 Global Hawk or MQ-9 Reaper—aircraft that have long symbolized aerial dominance in modern warfare.

ESET researchers have noted that the 2025 version of Operation DreamJob shows unprecedented sophistication. Lazarus isn’t just recycling old tools—it’s innovating. The attackers introduced Trojanized open-source apps, new DirectX-based loaders, and multi-layered payload delivery systems that evade traditional detection methods. Each component was strategically designed to appear legitimate, blending seamlessly into regular software ecosystems until it was too late.

The implications are alarming. Europe’s defense and aerospace sectors are once again on high alert as Lazarus continues to refine its espionage methods. Cybersecurity experts believe this campaign is only the beginning of a broader push by North Korea to enhance its drone technology, both for reconnaissance and potential weaponization.

“Considering North Korea’s rapid escalation in UAV development,” ESET warned, “it’s likely that any organization involved in drone research will be an appealing target for future attacks.”

What Undercode Say:

This operation isn’t just about data theft—it’s about power projection. Lazarus Group’s latest campaign represents a hybrid warfare strategy where digital espionage supports physical military ambitions. By targeting drone-related firms, North Korea signals a shift from traditional hacking for financial gain toward strategic intelligence gathering aimed at bolstering its defense technology.

Drone warfare has become the new arms race of the 21st century. From the skies over Ukraine to the deserts of the Middle East, UAVs define modern conflict. They collect intelligence, conduct precision strikes, and shape military outcomes. For Pyongyang, gaining access to the design blueprints and control algorithms of Western UAVs could mean leapfrogging years of domestic research and testing.

What’s notable about this operation is the psychological engineering behind it. Lazarus didn’t rely solely on code—they exploited human ambition. By posing as recruiters offering lucrative job opportunities, they tapped into a universal vulnerability: curiosity and hope. Once the victim opened a trojanized document, malware spread silently, creating a persistent backdoor that allowed Lazarus to explore internal systems, exfiltrate data, and manipulate operations at will.

The choice of targets also reveals strategic intent. The combination of a metal engineering firm and an aircraft components manufacturer suggests Lazarus sought both hardware and software intelligence—possibly CAD blueprints, aerodynamic simulations, or materials research relevant to UAV construction. This dual-targeting pattern reflects a deep understanding of the drone supply chain.

ESET’s analysis of ScoringMathTea shows a level of modular design rarely seen in prior Lazarus operations. The malware’s architecture allows attackers to dynamically load new features, execute hidden scripts, and maintain persistence even after system reboots. The integration of open-source code from GitHub further complicates detection, since the malware blends seamlessly into legitimate developer workflows.

What Undercode finds most intriguing is the timing of this campaign. Conducted in early 2025, it aligns with reports of North Korea expanding its drone testing facilities and unveiling prototypes strikingly similar to American models. If Lazarus has indeed siphoned drone data from European defense contractors, Pyongyang’s next-generation UAVs could incorporate Western flight stability systems, propulsion mechanisms, or AI-driven navigation modules.

From a geopolitical perspective, this isn’t an isolated cyberattack—it’s a signal of intent. North Korea is building the digital foundation for military parity in aerial warfare. By targeting Europe’s defense ecosystem, it’s diversifying its espionage reach beyond traditional adversaries like the U.S. and South Korea.

ESET’s warning is clear: the defense industry can no longer treat cyber threats as background noise. These attacks demonstrate that espionage has evolved into an industrial-scale operation, one that fuses cyber intrusion with national ambition.

Lazarus has proven time and again that its operations are patient, precise, and politically motivated. Operation DreamJob is no longer a recruitment scam—it’s a weaponized intelligence network serving the strategic goals of an isolated regime determined to dominate through asymmetric warfare.

The question now is not whether such attacks will happen again, but how far they’ll go next. Will the next wave of Lazarus activity target satellite communication systems, radar design labs, or AI-based weapons programs? The pattern suggests escalation is inevitable.

🔍 Fact Checker Results

✅ ESET has officially attributed the attacks to the Lazarus Group.

✅ Evidence links the campaign to UAV-related espionage activities.

❌ No direct proof yet confirms successful data exfiltration from the targeted firms.

📊 Prediction

🔮 Expect a new era of drone-centric cyber warfare in 2026.
💥 North Korea’s next UAV prototypes may show design traits suspiciously similar to European or U.S. models.
🛰️ Western defense companies will likely tighten recruitment protocols and cybersecurity vetting as human-targeted attacks intensify.