ESET researchers have recently observed a new instance of Operation DreamJob – a campaign that we track under the umbrella of North Korea-aligned Lazarus – in which several European companies active in the defense industry were targeted. Some of these are heavily involved in the unmanned aerial vehicle (UAV) sector, suggesting that the operation may be linked to North Korea’s current efforts to scale up its drone program. This blogpost discusses the broader geopolitical implications of the campaign, and provides a high-level overview of the toolset used by the attackers.
Key points of this blogpost:
- Lazarus attacks against companies developing UAV technology align with recently reported developments in the North Korean drone program.
- The suspected primary goal of the attackers was likely the theft of proprietary information and manufacturing know-how.
- Based on the social-engineering technique used for initial access, trojanizing open-source projects from GitHub, and the deployment of ScoringMathTea, we consider these attacks to be a new wave of the Operation DreamJob campaign.
- The group’s most significant evolution is the introduction of new libraries designed for DLL proxying and the selection of new open-source projects to trojanize for improved evasion.
Profile of Lazarus and its Operation DreamJob
The Lazarus group (also known as HIDDEN COBRA) is an APT group linked to North Korea that has been active since at least 2009. It is responsible for high-profile incidents such as both the Sony Pictures Entertainment hack and tens-of-millions-of-dollar cyberheists in 2016, the WannaCryptor (aka WannaCry) outbreak in 2017, and a long history of disruptive attacks against South Korean public and critical infrastructure since at least 2011. The diversity, number, and eccentricity in implementation of Lazarus campaigns define this group, as well as that it performs all three pillars of cybercriminal activities: cyberespionage, cybersabotage, and pursuit of financial gain.
Operation DreamJob is a codename for Lazarus campaigns that rely primarily on social engineering, specifically using fake job offers for prestigious or high-profile positions (the “dream job” lure). This name was coined in a 2020 blogpost by ClearSky, and overlaps with campaigns like DeathNote or Operation North Star. Targets are predominantly in the aerospace and defense sectors, followed by engineering and technology companies and the media and entertainment sector. In these campaigns, the attackers usually deploy trojanized open-source plugins for software like Notepad++ and WinMerge that serve as droppers and loaders, and payloads like ImprudentCook, ScoringMathTea, BlindingCan, miniBlindingCan, LightlessCan for Windows, and SimplexTea for Linux. The primary goal is cyberespionage, focusing on stealing sensitive data, intellectual property, and proprietary information, and the secondary goal is financial gain.
Overview
Starting in late March 2025, we observed in ESET telemetry cyberattacks reminiscent of Operation DreamJob campaigns. The in-the-wild attacks successively targeted three European companies active in the defense sector. Although their activities are somewhat diverse, these entities can be described as:
- a metal engineering company (Southeastern Europe),
- a manufacturer of aircraft components (Central Europe), and
- a defense company (Central Europe).
All cases involved droppers that have the interesting internal DLL name, DroneEXEHijackingLoader.dll, which led us down the drone segment rabbit hole. Also, initial access was likely achieved via social engineering – an Operation DreamJob specialty. The dominant theme is a lucrative but faux job offer with a side of malware: the target receives a decoy document with a job description and a trojanized PDF reader to open it.
The main payload deployed to the targets was ScoringMathTea, a RAT that offers the attackers full control over the compromised machine. Its first appearance dates to late 2022, when its dropper was uploaded to VirusTotal. Soon after, it was seen in the wild, and since then in multiple attacks attributed to Lazarus’ Operation DreamJob campaigns, which makes it the attacker’s payload of choice for already three years. It uses compromised servers for C&C communication, with the server part usually stored under the WordPress folder containing design templates or plugins.
In summary, we attribute this activity with a high level of confidence to Lazarus, particularly to its campaigns related to Operation DreamJob, based on the following:
- Initial access was obtained by social engineering, convincing the target to execute malware disguised as a job description, in order to succeed in a hiring process.
- Trojanizing open-source projects and then crafting their exports to fit the DLL side-loading seems to be an approach specific to Operation DreamJob.
- The flagship payload for later stages, ScoringMathTea, was used in multiple similar attacks in the past.
- The targeted sectors, located in Europe, align with the targets of the previous instances of Operation DreamJob (aerospace, defense, engineering).
Geopolitical context
The three targeted organizations manufacture different types of military equipment (or parts thereof), many of which are currently deployed in Ukraine as a result of European countries’ military assistance. At the time of Operation DreamJob’s observed activity, North Korean soldiers were deployed in Russia, reportedly to help Moscow repel Ukraine’s offensive in the Kursk oblast. It is thus possible that Operation DreamJob was interested in collecting sensitive information on some Western-made weapons systems currently employed in the Russia-Ukraine war.
More generally, these entities are involved in the production of types of materiel that North Korea also manufactures domestically, and for which it might be hoping to perfect its own designs and processes. In any case, there is no indication that the targeted companies supply military equipment to the South Korean armed forces – which could have been another element explaining Operation DreamJob’s interest in these companies. Interestingly, however, at least two of these organizations are clearly involved in the development of UAV technology, with one manufacturing critical drone components and the other reportedly engaged in the design of UAV-related software.
The interest in UAV-related know-how is notable, as it echoes recent media reports indicating that Pyongyang is investing heavily in domestic drone manufacturing capabilities.
Although this effort can be traced back to more than a decade ago, recent experiences in the Russia-Ukraine war have reinforced North Korea’s resolve in its drone program. With assistance from Russia, Pyongyang is now working on producing its own versions of Iranian-made drones and developing low-cost attack UAVs for potential export to African or Middle Eastern countries.
North Korea has heavily relied on reverse engineering and intellectual property theft to develop its domestic UAV capabilities. Open-source reports show that North Korea’s reconnaissance and combat drones closely resemble US counterparts, indicating strong inspiration from Western designs. Cyberespionage, attributed to North Korean-aligned APT groups, likely played a role in acquiring Western UAV technology. Operation DreamJob, a campaign associated with Lazarus, may have been aimed at stealing proprietary information related to UAVs.
The tools used by Lazarus in Operation DreamJob in 2024 have evolved in 2025, with droppers, loaders, and downloaders being deployed to gain control over compromised machines. These tools, such as trojanized MuPDF readers and loaders disguised as Microsoft libraries, are used to deliver payloads like RATs and complex downloaders. The attackers have incorporated malicious loading routines into open-source projects, using various malware to carry out their operations. The presence of the string SampleIMESimplifiedQuanPin.txt in the code suggests that it is likely based on the open-source project Sample IME, a TSF-based input method editor demo, which we refer to as QuanPinLoader.
One of the droppers (SHA-1: 03D9B8F0FCF9173D2964CE7173D21E681DFA8DA4) is named DroneEXEHijackingLoader.dll internally and is disguised as a Windows Web Services Runtime library to facilitate side-loading. The inclusion of the substring drone may indicate a reference to both a UAV device and the internal campaign name of the attacker.

Table 1 illustrates a common combination of legitimate executable files (EXEs) and malicious dynamic link libraries (DLLs) delivered to the victim’s system. The DLLs listed are either trojanized open-source applications or standalone malware binaries side-loaded by a legitimate EXE. The folder locations for these files are atypical for legitimate applications. Malicious DLLs utilize the DLL proxying technique to ensure proper execution. In the case of trojanized projects, these DLLs contain two distinct types of exports: functions required for DLL proxying and functions exported from the open-source project.
Table 1. Summary of binaries involved in the attack
| Location folder | Legitimate parent process | Malicious side-loaded DLL | Trojanized project (payload) |
| N/A | wksprt.exe* | webservices |
ComparePlus v1.1.0 (N/A) |
|
%ALLUSERSPROFILE%\EMC\ %ALLUSERSPROFILE%\Adobe\
|
wksprt.exe | webservices |
Standalone (ScoringMathTea) |
| %ALLUSERSPROFILE%\ | wkspbroker.exe | radcui.dll | DirectX wrappers d3d8.dll/ddraw.dll (ScoringMathTea) |
| %APPDATA%\Microsoft\RemoteApp\ | wkspbroker.exe | radcui.dll | Standalone (BinMergeLoader) |
* Denotes a VirusTotal submission and its likely parent process. The payload is unknown, since a long command-line argument is required for its decryption from the trojanized project.
ScoringMathTea
ScoringMathTea is a sophisticated RAT with approximately 40 commands. Its name combines ScoringMath from a C&C domain used in an early variant (www.scoringmnmathleague[.]org) with the suffix -Tea, representing a North Korea-aligned payload according to ESET Research. Initially documented by Kaspersky in April 2023 and later by Microsoft in October 2023 as ForestTiger, the name correlates with the internal DLL name or PDB information found in some samples.
ScoringMathTea first surfaced in VirusTotal submissions from Portugal and Germany in October 2022, where it masqueraded as an Airbus-themed job offer lure. The RAT’s functionalities align with typical Lazarus operations, including file and process manipulation, configuration exchange, system information gathering, TCP connection establishment, and execution of local commands or downloaded payloads from the C&C server. The current version shows no significant changes in features or command interpretation, indicating ongoing minor enhancements and bug fixes.
Based on ESET telemetry, ScoringMathTea has been observed in attacks against various companies, including an Indian technology company in January 2023, a Polish defense company in March 2023, a British industrial automation company in October 2023, and an Italian aerospace company in September 2025. It appears to be a prominent payload in Operation DreamJob campaigns, despite Lazarus having more advanced payloads like LightlessCan.
Conclusion
Over the past three years, Lazarus has consistently used its primary payload, ScoringMathTea, and similar techniques to trojanize open-source applications. This strategy, though predictable, has proven effective in evading security measures, albeit without concealing the group’s identity or attribution. Despite media coverage of Operation DreamJob and its social engineering tactics, employee awareness in critical sectors such as technology and defense remains insufficient to address the risks posed by suspicious hiring processes.
While other interpretations are plausible, it is likely that the Operation DreamJob campaign was primarily aimed at gathering sensitive information on UAV-related technology. Given North Korea’s efforts to enhance its drone capabilities, it is probable that organizations operating in this sector will attract the attention of North Korea-aligned threat actors in the near future.
For inquiries regarding our research featured on WeLiveSecurity, please contact us at threatintel@eset.com.ESET Research provides private APT intelligence reports and data feeds. For any inquiries about this service, please visit the ESET Threat Intelligence page.
IoCs
For a comprehensive list of indicators of compromise and samples, you can find them in our GitHub repository.
Files
SHA-1
Filename
Detection
Description
28978E987BC59E75CA22 562924EAB93355CF679E
TSMSISrv.dll
Win64/NukeSped.TL
QuanPinLoader.
5E5BBA521F0034D342CC 26DB8BCFECE57DBD4616
libmupdf.dll
Win64/NukeSped.TE
A loader disguised as a MuPDF rendering library v3.3.3.
B12EEB595FEEC2CFBF9A 60E1CC21A14CE8873539
radcui.dll
Win64/NukeSped.TO
A dropper disguised as a RemoteApp and Desktop Connection UI Component library.
26AA2643B07C48CB6943 150ADE541580279E8E0E
HideFirstLetter .DLL
Win64/NukeSped.TO
BinMergeLoader.
0CB73D70FD4132A4FF54 93DAA84AAE839F6329D5
libpcre.dll
Win64/NukeSped.TP
A loader that is a trojanized libpcre library.
03D9B8F0FCF9173D2964 CE7173D21E681DFA8DA4
webservices.dll
Win64/NukeSped.RN
A dropper disguised as a Microsoft Web Services Runtime library.
71D0DDB7C6CAC4BA2BDE 679941FA92A31FBEC1FF
N/A
Win64/NukeSped.RN
ScoringMathTea.
87B2DF764455164C6982 BA9700F27EA34D3565DF
webservices.dll
Win64/NukeSped.RW
A dropper disguised as a Microsoft Web Services Runtime library.
E670C4275EC24D403E0D 4DE7135CBCF1D54FF09C
N/A
Win64/NukeSped.RW
ScoringMathTea.
B6D8D8F5E0864F5DA788 F96BE085ABECF3581CCE
radcui.dll
Win64/NukeSped.TF
A loader disguised as a RemoteApp and Desktop Connection UI Component library.
5B85DD485FD516AA1F44 12801897A40A9BE31837
RCX1A07.tmp
Win64/NukeSped.TH
A loader of an encrypted ScoringMathTea.
B68C49841DC48E367203 1795D85ED24F9F619782
TSMSISrv.dll
Win64/NukeSped.TL
QuanPinLoader.
AC16B1BAEDE349E48243 35E0993533BF5FC116B3
cache.dat
Win64/NukeSped.QK
A decrypted ScoringMathTea RAT.
2AA341B03FAC3054C576 40122EA849BC0C2B6AF6
msadomr.dll
Win64/NukeSped.SP
A loader disguised as a Microsoft DirectInput library.
CB7834BE7DE07F893520 80654F7FEB574B42A2B8
ComparePlus.dll
Win64/NukeSped.SJ
A trojanized Notepad++ plugin disguised as a Microsoft Web Services Runtime library.
Dropper Analysis from VirusTotal
SHA-256 Hash
File Name
Detection Name
Description
262B4ED6AC6A977135DECA5B0872B7D6D676083A
tzautosync.dat
Win64/NukeSped.RW
Decrypted ScoringMathTea, stored encrypted on the disk.
086816466D9D9C12FCADA1C872B8C0FF0A5FC611
N/A
Win64/NukeSped.RN
ScoringMathTea.
2A2B20FDDD65BA28E7C57AC97A158C9F15A61B05
cache.dat
Win64/NukeSped.SN
Downloader similar to BinMergeLoader built as a trojanized NPPHexEditor plugin.
Network
IP
Domain
Hosting Provider
First Seen
Details
23.111.133[.]162
coralsunmarine[.]com
HIVELOCITY, Inc.
2024-06-06
ScoringMathTea C&C server: coralsunmarine.com
104.21.80[.]1
kazitradebd[.]com
Cloudflare, Inc.
2025-01-11
ScoringMathTea C&C server: kazitradebd.com
MITRE ATT&CK Techniques
This table was constructed using version 17 of the MITRE ATT&CK framework.
Tactic
ID
Name
Description
sentence as follows:
Please rewrite the sentence. sentence: Can you please explain that concept to me again?
Dropper Analysis from VirusTotal
| SHA-256 Hash | File Name | Detection Name | Description |
| 262B4ED6AC6A977135DECA5B0872B7D6D676083A | tzautosync.dat | Win64/NukeSped.RW | Decrypted ScoringMathTea, stored encrypted on the disk. |
| 086816466D9D9C12FCADA1C872B8C0FF0A5FC611 | N/A | Win64/NukeSped.RN | ScoringMathTea. |
| 2A2B20FDDD65BA28E7C57AC97A158C9F15A61B05 | cache.dat | Win64/NukeSped.SN | Downloader similar to BinMergeLoader built as a trojanized NPPHexEditor plugin. |
Network
| IP | Domain | Hosting Provider | First Seen | Details |
| 23.111.133[.]162 | coralsunmarine[.]com | HIVELOCITY, Inc. | 2024-06-06 | ScoringMathTea C&C server: coralsunmarine.com |
| 104.21.80[.]1 | kazitradebd[.]com | Cloudflare, Inc. | 2025-01-11 | ScoringMathTea C&C server: kazitradebd.com |
MITRE ATT&CK Techniques
This table was constructed using version 17 of the MITRE ATT&CK framework.
| Tactic | ID | Name | Description |
sentence as follows:
Please rewrite the sentence. sentence: Can you please explain that concept to me again?

