A newly uncovered cyber-espionage campaign has revealed just how far North Korea’s state-sponsored hackers are willing to go to steal military secrets. Researchers have confirmed that the Lazarus Group, a hacking organization tied to Pyongyang’s intelligence services, targeted multiple defense companies across Europe in early 2025.
The operation, which cybersecurity experts have dubbed Operation DreamJob, focused on firms involved in developing unmanned aerial vehicles (UAVs), drone components, and aerospace technologies. These weren’t random victims. They were deeply integrated into the European defense supply chain, including companies providing equipment and software used in ongoing military operations.
According to security firm ESET, the hackers’ main goal was to steal proprietary blueprints, system designs, and technical documentation that could help North Korea advance its own weapons programs.
Instead of using brute-force attacks or exploiting known software vulnerabilities to get in, the Lazarus Group relied on something far more effective, and that’s social engineering.
Investigators found that the attackers posed as recruiters for well-known defense and technology firms. They sent out what appeared to be legitimate job offers, often for high-level engineering or development positions. These messages included attached files disguised as harmless job descriptions or technical documents.
In reality, the attachments were weaponized. Victims who opened the documents unknowingly executed trojanized files designed to install malware on their systems. The hackers used a sophisticated technique known as DLL sideloading, which allowed malicious code to run alongside legitimate software. This approach helped the malware avoid detection by antivirus tools.
Once the infected file was opened, a custom-built loader quietly deployed a remote access tool (RAT) called ScoringMathTea, giving the hackers full control of the compromised computer. From there, Lazarus operatives could spy on internal communications, copy files, and explore connected systems across the company network.
In some cases, another variant known as BinMergeLoader was used to pull additional payloads from the cloud using Microsoft’s Graph API, blending seamlessly into normal traffic and making it even harder for investigators to trace.
The drones were the perfect target
The choice of victims wasn’t random. Over the last few years, drones have become a defining feature of modern warfare and surveillance. For countries like North Korea, access to Western drone technology is a major strategic advantage.
By breaching European defense contractors, Lazarus likely aimed to gather intelligence on drone control systems, targeting algorithms, and manufacturing processes. This information could help Pyongyang replicate or adapt similar technologies domestically.
At least one of the targeted firms is believed to have supplied parts or software used in UAVs deployed in Ukraine. For North Korea, which has been expanding its own drone program and has reportedly provided arms support to Russia, stealing this kind of technical information serves both military and political purposes.
Experts say the stolen data could also help North Korea strengthen its cyberwarfare and missile programs, areas where technological innovation has long been limited by international sanctions.
ESET’s analysis revealed that the Lazarus operation began around March 2025 and was still active months later. Three confirmed companies, located in Central and Southeastern Europe, were compromised or targeted.
The hackers demonstrated patience and professionalism. They didn’t attempt to destroy data or hold systems for ransom. Instead, they moved quietly, seeking access and information that could be valuable over the long term.
While the specific details of the data theft haven’t been made public, researchers confirmed that Lazarus successfully infiltrated at least one network, exfiltrating sensitive design files and internal communications.
Investigators also noted that the tools used in this campaign resembled those from earlier Lazarus operations. The group often reuses code and infrastructure, tweaking it to evade detection. That continuity, combined with unique malware signatures and command-and-control servers, helped researchers attribute the campaign to Lazarus with high confidence.
Lazarus has been linked to some of the most high-profile cyber incidents in the world
This incident fits into a broader pattern of North Korea’s reliance on cyber-espionage to bypass international sanctions. Unable to import advanced technology through legitimate means, the country has turned hacking into an alternative research and revenue pipeline.
Over the past decade, Lazarus has been linked to some of the most high-profile cyber incidents in the world, from the 2014 Sony Pictures hack to the 2017 WannaCry ransomware outbreak, and more recently, to massive cryptocurrency thefts worth billions of dollars. The group’s ability to shift from financial crimes to targeted espionage demonstrates its flexibility and deep state backing.
Experts say Lazarus is not just a criminal syndicate but a hybrid operation serving both the North Korean government’s intelligence apparatus and its need for hard currency. The European drone operation shows that its mission has evolved from generating funds to directly supporting military and strategic goals.
People are often the weakest link
The Lazarus campaign offers a stark reminder that in today’s cybersecurity landscape, people are often the weakest link. Even the most advanced defense contractors can fall victim when attackers exploit trust instead of technology.
Companies in sensitive industries (e.g., aerospace, defense, energy) must now assume they are potential targets for state-backed hackers. This means tightening both technical defenses and employee awareness.
Recruitment-related scams, like the ones Lazarus used, are becoming more common. Organizations should verify all unsolicited job or partnership offers, enforce strict attachment controls, and train staff to recognize social-engineering tactics. Multifactor authentication and network segmentation can limit the damage if a breach does occur.
Equally important is monitoring software supply chains. Lazarus’s use of DLL sideloading shows how attackers abuse legitimate software to deliver malware. Regular code integrity checks and software verification processes can help detect such tampering before it reaches employees’ devices.
For European defense companies, this campaign is a warning that national borders offer little protection against cyber-espionage. Attackers with government resources and long-term goals are patient and deliberate. They’re not after quick payoffs, but strategic advantages.
For North Korea, the campaign highlights how cyber operations have become an integral part of its national policy. By stealing rather than developing technology, the regime can close the gap between itself and more advanced nations, even under sanctions.
The Lazarus Group’s ongoing success also exposes a troubling reality. Despite years of exposure and tracking, they remain one of the world’s most persistent and adaptive hacking collectives. Their tactics continue to evolve, and as long as they keep finding new ways to exploit human trust, they will remain a formidable threat.
The European drone attacks are just the latest reminder that in the world of cyberwarfare, the most dangerous weapon isn’t a missile or a drone, it’s a well-crafted email that lands in the right inbox.