Threat Advisories:
Lazarus Targets Europe’s UAV Innovation October 2025 Linux Patch Roundup MuddyWater Deploys Phoenix Backdoor in Targeted Espionage Campaign Critical Cloud Threat: Azure Blob Storage Under Active Attack Operation Silk Lure Scam: When Job Hunts Leads to Malware Storm-1175’s Masterstroke Exploits CVE-2025-10035 in GoAnywhere MFT F5 BIG-IP Breach: Nation-State Hackers Expose Source Code and Undisclosed Flaws Microsoft’s October 2025 Patch Tuesday TA585 Leverages ClickFix Technique and MonsterV2 Malware Astaroth Targets Brazil Using GitHub Infrastructure CVE-2025-11371: Unpatched Gladinet Flaw Actively Exploited in the Wild Stealit’s New Trick: Packing Malware Inside Node.js Single Executables Hidden in Plain Sight: The Abuse of Nezha and the Ghost RAT That Followed UTA0388: AI-Powered Targeted Operations Leveraging GOVERSHELL Zimbra Zero-Day Hidden in “Harmless” ICS File Targets Military Service Finder Plugin Flaw Opens Door to Full Site Compromise Redis Under Siege: RediShell Flaw Opens Door to Remote Code Execution CVE-2025-61882: Oracle EBS Zero-Day Actively Exploited in the Wild Water Saci: Brazil’s WhatsApp-Borne Malware Storm Confucius Hackers Spy on Critical Sectors Using AnonDoor
Highlights of Our CISO Dinner
Upgrading struggling vulnerability management programs to Threat Exposure Management, with Host, CISO Al Lindseth formerly from Plains All American Pipeline and PWC - 6 minute podcast
0:00
0:00
👥 Play Count: Loading...
Partner Program
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure Platform
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

Lazarus Targets Europe’s UAV Innovation

Red | Attack Report
Download PDF

Lazarus Group Targets European Defense Firms in Operation DreamJob

Summary

The North Korean state-sponsored threat actor Lazarus Group—also known as Labyrinth Chollima, Hidden Cobra, and Zinc—has intensified its global cyber-espionage campaign through Operation DreamJob, targeting European defense organizations involved in unmanned aerial vehicle (UAV) development.

This new wave of attacks, first observed in March 2025, focuses on engineering and defense manufacturers that supply drone hardware and software used in Ukraine. The campaign uses job-themed social engineering lures and malicious loaders, including ScoringMathTea and BinMergeLoader, to infiltrate systems and steal aerospace technology and UAV design intelligence.

Despite widespread awareness of these tactics, the defense sector remains vulnerable to Lazarus’ persistent espionage operations, which aim to accelerate Pyongyang’s domestic drone production by stealing cutting-edge UAV data.

Attack Details

Operation DreamJob represents one of Lazarus’ most strategically significant cyber-espionage campaigns to date, aligning with North Korea’s broader geopolitical and military ambitions.

Campaign Overview

  • Targeted Industries: Aerospace, defense, and engineering organizations developing UAV hardware and control systems.
  • Targeted Regions: Southeastern and Central Europe, where key defense manufacturers support Ukraine’s ongoing defense programs.
  • Initial Access: Lazarus actors initiated attacks using social-engineering emails disguised as legitimate job recruitment messages, delivering malware-laced attachments.
  • Malware Used:
    • ScoringMathTea – A remote access trojan (RAT) providing complete control over compromised hosts.
    • BinMergeLoader – A modular loader used to deliver additional payloads and establish persistence.
    • DroneEXEHijackingLoader.dll – A loader used in earlier stages of the infection chain.

Technical Analysis

  1. Early Intrusion Stages: Attackers employed droppers, loaders, and downloaders to establish footholds, using BinMergeLoader to activate secondary payloads.
  2. Main Payload: The ScoringMathTea RAT was observed across multiple intrusions, enabling data theft, command execution, and network reconnaissance.
  3. Persistence and Control: The malware established encrypted C2 communications for long-term espionage and data exfiltration.
  4. Strategic Objective: Intelligence collection focused on UAV manufacturing processes, software architectures, and supply chain technologies linked to European defense programs.

The attacks reflect Lazarus’ continued evolution toward high-value intelligence theft, shifting from purely financial operations to strategic, defense-focused cyber espionage.

Recommendations

  • Control Access to Sensitive Systems: Restrict access to design files, production environments, and intellectual property repositories using role-based access controls (RBAC).
  • Verify Third-Party Software: Validate all open-source and external tools before integration. Use trusted repositories and enforce integrity checks for new software.
  • Harden Endpoint Security:
    • Keep operating systems, antivirus, and EDR solutions up to date.
    • Patch vulnerabilities promptly to prevent loader- or RAT-based exploitation.
  • Deploy Advanced Endpoint Protection: Implement Next-Gen Antivirus (NGAV) and EDR platforms capable of detecting behavioral anomalies, DLL hijacking, and encrypted RAT activity.
  • Security Awareness Training: Conduct employee phishing simulations and reinforce security best practices, particularly for staff in engineering and defense roles.

Indicators of Compromise (IoCs)

SHA1 Hashes:
28978E987BC59E75CA22562924EAB93355CF679E,
5E5BBA521F0034D342CC26DB8BCFECE57DBD4616,
B12EEB595FEEC2CFBF9A60E1CC21A14CE8873539,
26AA2643B07C48CB6943150ADE541580279E8E0E,
0CB73D70FD4132A4FF5493DAA84AAE839F6329D5,
03D9B8F0FCF9173D2964CE7173D21E681DFA8DA4,
71D0DDB7C6CAC4BA2BDE679941FA92A31FBEC1FF,
87B2DF764455164C6982BA9700F27EA34D3565DF,
E670C4275EC24D403E0D4DE7135CBCF1D54FF09C,
B6D8D8F5E0864F5DA788F96BE085ABECF3581CCE,
5B85DD485FD516AA1F4412801897A40A9BE31837,
B68C49841DC48E3672031795D85ED24F9F619782,
AC16B1BAEDE349E4824335E0993533BF5FC116B3,
2AA341B03FAC3054C57640122EA849BC0C2B6AF6,
CB7834BE7DE07F89352080654F7FEB574B42A2B8,
262B4ED6AC6A977135DECA5B0872B7D6D676083A,
086816466D9D9C12FCADA1C872B8C0FF0A5FC611,
2A2B20FDDD65BA28E7C57AC97A158C9F15A61B05

IPv4 Addresses:
23[.]111[.]133[.]162,
104[.]21[.]80[.]1,
70[.]32[.]24[.]131,
185[.]148[.]129[.]24,
66[.]29[.]144[.]75,
108[.]181[.]92[.]71,
104[.]247[.]162[.]67,
193[.]39[.]187[.]165,
172[.]67[.]193[.]139,
77[.]55[.]252[.]111,
45[.]148[.]29[.]122,
75[.]102[.]23[.]3,
152[.]42[.]239[.]211,
95[.]217[.]119[.]214

Domains:
coralsunmarine[.]com,
kazitradebd[.]com,
oldlinewoodwork[.]com,
www[.]mnmathleague[.]org,
pierregems[.]com,
www[.]scgestor[.]com[.]br,
galaterrace[.]com,
ecudecode[.]mx,
www[.]anvil[.]org[.]ph,
partnerls[.]pl,
trainingpharmacist[.]co[.]uk,
mediostresbarbas[.]com[.]ar,
www[.]bandarpowder[.]com,
spaincaramoon[.]com

File Names:
TSMSISrv.dll, libmupdf.dll, radcui.dll, HideFirstLetter.dll, libpcre.dll, webservices.dll,
RCX1A07.tmp, cache.dat, msadomr.dll, ComparePlus.dll, tzautosync.dat

URLs:
hxxps[:]//coralsunmarine[.]com/wp-content/themes/flatsome/inc/functions/function-hand[.]php,
hxxps[:]//kazitradebd[.]com/wp-content/themes/hello-elementor/includes/customizer/customizer-hand[.]php,
hxxps[:]//oldlinewoodwork[.]com/wp-content/themes/zubin/inc/index[.]php,
hxxps[:]//www[.]mnmathleague[.]org/ckeditor/adapters/index[.]php,
hxxps[:]//pierregems[.]com/wp-content/themes/woodmart/inc/configs/js-hand[.]php,
hxxps[:]//www[.]scgestor[.]com[.]br/wp-content/themes/vantage/inc/template-headers[.]php,
hxxps[:]//galaterrace[.]com/wp-content/themes/hello-elementor/includes/functions[.]php,
hxxps[:]//ecudecode[.]mx/redsocial/wp-content/themes/buddyx/inc/Customizer/usercomp[.]php,
hxxps[:]//www[.]anvil[.]org[.]ph/list/images/index[.]php,
hxxps[:]//partnerls[.]pl/wp-content/themes/public/index[.]php,
hxxps[:]//trainingpharmacist[.]co[.]uk/bootstrap/bootstrap[.]php,
hxxps[:]//mediostresbarbas[.]com[.]ar/php_scrip/banahosting/index[.]php,
hxxps[:]//www[.]bandarpowder[.]com/public/assets/buttons/bootstrap[.]php,
hxxps[:]//spaincaramoon[.]com/realestate/wp-content/plugins/gravityforms/forward[.]php

MITRE ATT&CK TTPs

TacticTechniqueID
Resource DevelopmentCompromise Infrastructure – ServerT1584, T1584.004
Initial AccessPhishing – Malicious FileT1566, T1204.002
ExecutionUser Execution – Malicious FileT1204.002
PersistenceShared Modules, DLL HijackingT1129, T1574.001
Defense EvasionObfuscated Files / Dynamic API ResolutionT1027, T1027.007
DiscoverySystem and Process DiscoveryT1082, T1057
ExfiltrationExfiltration Over C2 ChannelT1041
Command and ControlEncrypted Web ProtocolsT1071.001, T1573.001
ImpactMasqueradingT1036

References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox