Operation Dream Job is a long-running cyber espionage campaign attributed to the North Korean Lazarus Group, active since at least 2020 and recently observed intensifying in 2025. The campaign targets European defense sector companies, particularly those involved in unmanned aerial vehicle (UAV) development and manufacturing. Attackers employ social engineering tactics by sending fake job offers to defense engineers, luring them to open malicious documents. These documents use trojanized PDF readers to execute binaries that sideload malicious DLLs, deploying malware families such as ScoringMathTea (also known as ForestTiger) and MISTPEN. ScoringMathTea is an advanced remote access trojan (RAT) supporting approximately 40 commands, enabling attackers to gain full control over compromised systems. MISTPEN and the downloader BinMergeLoader leverage Microsoft Graph API and tokens to fetch additional payloads, demonstrating sophisticated multi-stage infection chains. The campaign targets companies in Central and Southeastern Europe, including metal engineering and aircraft component manufacturers. The attackers maintain a consistent but polymorphic approach to evade detection, reusing favored payloads and infection methods. While no public exploits are known, the operation poses a significant threat to the confidentiality and integrity of sensitive defense-related intellectual property. The campaign overlaps with other Lazarus-linked clusters and reflects North Korea's strategic interest in scaling its drone capabilities. The attack chain requires user interaction (opening malicious documents) but no prior authentication, making social engineering the primary infection vector.

European defense companies, especially those involved in UAV technology, face significant risks from Operation Dream Job. The theft of proprietary drone designs, manufacturing processes, and sensitive defense data could undermine national security and defense industrial competitiveness. Compromised systems could lead to espionage, intellectual property theft, and potential sabotage. The campaign's focus on Central and Southeastern European companies indicates a targeted effort to weaken European defense capabilities. Loss of confidentiality could also impact defense contracts and international collaborations. The malware’s remote access capabilities allow attackers to maintain persistence, move laterally, and exfiltrate large volumes of data undetected. This could result in long-term operational disruptions and erosion of trust in affected organizations. The campaign’s use of legitimate APIs for payload delivery complicates detection and response, increasing the risk of successful breaches.

1. Implement targeted security awareness training focused on spear-phishing and social engineering tactics, emphasizing the risks of unsolicited job offers and opening unknown documents. 2. Enforce strict document handling policies, including sandboxing and scanning of all incoming PDFs and attachments with advanced threat detection tools capable of identifying trojanized readers and malicious DLL sideloading. 3. Deploy endpoint detection and response (EDR) solutions tuned to detect behaviors associated with ScoringMathTea and MISTPEN malware, such as unusual DLL loading, use of Microsoft Graph API tokens, and network connections to suspicious domains. 4. Restrict use of Microsoft Graph API tokens and monitor their usage for anomalous activity indicative of malware payload fetching. 5. Apply network segmentation to isolate sensitive defense engineering environments and limit lateral movement opportunities. 6. Conduct regular threat hunting exercises focused on indicators of compromise related to Lazarus Group TTPs. 7. Maintain up-to-date threat intelligence feeds and collaborate with national cybersecurity agencies for timely alerts and response coordination. 8. Implement multi-factor authentication and least privilege principles to reduce the impact of compromised credentials.