North Korean hackers target drone industry with fake job offers to steal secrets

North Korean state-linked hackers are running a new cyber-espionage campaign against Europe’s defence sector, luring engineers in the drone industry with fake job offers to plant malware and steal sensitive technology.

 

Researchers at ESET identified the campaign as part of the long-running “Operation Dream Job,” which has been tied to the Lazarus Group — one of Pyongyang’s most notorious hacking units.

 

The attacks, observed since March 2025, specifically target engineers and project managers at aircraft-component and metal-manufacturing companies involved in unmanned aerial-vehicle (UAV) production across Central and Southeastern Europe.

 

 Victims received personalised recruitment messages promising lucrative positions, often impersonating major defence contractors. Once the targets downloaded the attached job materials, malware families dubbed ScoringMathTea (also known as ForestTiger) and MISTPEN were deployed, granting attackers remote access to their systems and enabling data exfiltration.

 

Analysts believe the operation aims to collect technical blueprints, manufacturing methods, and supply-chain data to aid North Korea’s drone programme and broader military modernisation. The campaign also demonstrates the Lazarus Group’s ability to adapt social-engineering tactics to specific industries, exploiting trusted business channels rather than random phishing attempts.

 

Experts warn that this type of targeted infiltration blurs the line between cyber-espionage and industrial theft, posing significant risks for companies embedded in NATO and EU defence supply chains.

 

By masquerading as recruiters, the attackers leverage corporate norms and professional curiosity to compromise endpoints that traditional perimeter defences might overlook.

 

As the line between professional networking and cyber intrusion narrows, organisations must treat unsolicited recruitment approaches with the same caution as any other external access vector.