Lazarus Group Targets European Drone Manufacturers in New Espionage Campaign

A North Korea–linked hacking group, Lazarus, has launched a new cyber-espionage campaign targeting European drone and defense manufacturers. Security researchers found that the attackers focused on stealing sensitive data, design documents, and technology related to unmanned aerial vehicles (UAVs). The motive appears to be supporting North Korea’s growing interest in military drone development.

Cybersecurity firm ESET discovered this latest operation, which is part of Lazarus Group’s long-running “Operation DreamJob.” The attackers used fake job offers and recruitment messages to lure employees into opening malicious files. Once a victim clicked, hidden malware was silently installed to gain full access to company systems.

The malware used in the attack, known as ScoringMathTea, allowed the hackers to control infected computers, steal data, and move deeper into corporate networks. It could execute nearly 40 different commands, from file manipulation to remote data transfer, making it a powerful spying tool. The attackers also used customized loaders named to match drone-related projects, confirming their focus on UAV technology.

ESET’s investigation revealed that at least three European companies were targeted, all operating within the defense or drone manufacturing sectors. Their names were not made public, but researchers confirmed that some of their equipment has been used in conflict zones, including Ukraine. The campaign showed careful planning and strong knowledge of the European defense ecosystem.

The techniques used in this attack were consistent with previous Lazarus campaigns, which often rely on social engineering rather than large-scale hacking. By pretending to be recruiters from major companies, the group was able to make its messages appear legitimate and convincing. Once victims believed the offers were real, they unknowingly triggered the malware.

Experts believe North Korea’s motivation is to accelerate its domestic drone production by stealing foreign blueprints and industrial knowledge. Over the past year, Pyongyang has been actively expanding its UAV program and seeking advanced guidance and AI systems. Stealing such data helps the country bypass years of research and development.

This incident serves as a reminder that cyber-espionage is now a key weapon for state-sponsored groups. Instead of attacking random users, these actors choose specific targets that can help them achieve strategic or military goals. Industrial and defense organizations are therefore being urged to review their cybersecurity posture and internal security awareness.

Experts advise employees to be cautious of unsolicited job offers, even from familiar platforms like LinkedIn. Attachments and links in recruitment emails should be verified before opening, and security teams should implement strong multi-factor authentication, endpoint protection, and strict access controls. Vigilance and awareness remain the best defense against such targeted attacks.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news