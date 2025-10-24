Threat Intelligence

New Lazarus cyberespionage campaign targets European UAV sector

BleepingComputer reports that three European organizations involved in unmanned aerial technology development have been infiltrated by the North Korean hacking collective Lazarus Group as part of the Operation DreamJob campaign.

Intrusions against the drone component makers including an aircraft parts manufacturer and a defense firm in Central Europe, as well as a metal engineering company in Southeastern Europe commenced with the distribution of job lures including weaponized open-source plugins or applications, with DLL side-loading resulting in the eventual deployment of the ScoringMathTea RAT that establishes command-and-control server communications, according to an analysis from ESET.

Another infection chain delivered the BinMergeLoader, which facilitated further payload delivery via Microsoft Graph API and token exploitation.

"The implemented functionality is the usual required by Lazarus: manipulation of files and processes, exchanging the configuration, collecting the victims system info, opening a TCP connection, and executing local commands or new payloads downloaded from the C&C server," said ESET researchers.

