The North Korean state-sponsored hacking collective known as the Lazarus Group conducted a sophisticated cyber espionage campaign targeting aerospace and defense companies across Europe. The campaign, identified by security researchers as “Operation DreamJob,” leveraged fake job advertisements as its primary infiltration method.

Attackers impersonated human resources personnel and recruiters from prominent defense contractors to lure employees from the targeted sector. This highly targeted social engineering scheme was designed to steal sensitive corporate data and intellectual property.

The Social Engineering Scheme

The operation’s initial phase relied heavily on the professional networking site LinkedIn. Lazarus Group operatives created convincing fake profiles, posing as recruiters for well-known companies in the defense and aerospace industry. They initiated contact with employees at specific European companies, presenting them with seemingly legitimate and attractive job opportunities.

Once a target showed interest, the communication would often move to another platform, such as WhatsApp. The fake recruiter would then send the victim a malicious document, typically disguised as a PDF or Word file containing job details or an application form. This document was the entry point for the malware infection.

Malware Deployment and Espionage

Upon the victim opening the malicious document, a multi-stage infection process was triggered. The initial payload acted as a dropper, downloading and executing further malicious components onto the victim’s system. Security firm ESET identified the use of a custom backdoor in this campaign, a variant of the NukeSped malware family.

This backdoor provided the attackers with remote control over the compromised machine, enabling them to execute commands, exfiltrate files, and move laterally within the corporate network. The ultimate goal of the operation was long-term espionage, focused on stealing proprietary information from Europe’s defense and drone technology sectors.

Source: https://www.helpnetsecurity.com/2025/10/23/eset-lazarus-operation-dreamjob/