What happened
The Lazarus targeting campaign, tracked as Operation DreamJob, was linked to attacks against European drone manufacturers and defense contractors beginning in late March 2025. The operation used social engineering—fake job offers for prestigious roles—to lure employees into downloading trojanized documents and software bundles. WeLiveSecurity analysts described execution chains that delivered components such as BinMergeLoader and the main payload ScoringMathTea. The infection mechanism relied heavily on DLL side-loading, embedding malicious libraries alongside legitimate Windows applications so the trusted binary loads the attacker’s DLL without immediately triggering controls. Attackers also used trojanized versions of open-source software, including TightVNC Viewer, MuPDF, and WinMerge plugins. ScoringMathTea provided remote access with extensive command capability and reportedly remained encrypted on disk, decrypting in memory during execution.
Who is affected
European aerospace and defense organizations—particularly drone manufacturers—are directly affected when employees interact with job-offer lures and execute trojanized files. Exposure can extend indirectly to partner networks if compromised endpoints provide access to sensitive engineering repositories or production systems.
Why CISOs should care
This campaign targets intellectual property and manufacturing data in a high-impact sector, using trusted application execution patterns (DLL side-loading) and memory-resident behavior that can evade traditional file-based detection. Successful compromise increases risk of persistent espionage access and downstream supply chain compromise.
3 practical actions
- Harden application loading behavior: Enable controls to restrict DLL search order abuse and detect side-loading attempts for common signed applications and packaged tools.
- Lock down software acquisition channels: Require verified sources and signed-hash validation for installers and plugins (e.g., TightVNC Viewer, MuPDF, WinMerge components).
- Increase monitoring for in-memory RAT activity: Expand telemetry for suspicious module loads, reflective/memory-only execution patterns, and unusual outbound C2 from engineering endpoints.