North Korea’s Lazarus Group has launched a new wave of cyber-espionage operations targeting European drone manufacturers and defense firms involved in supplying unmanned aerial vehicles (UAVs) to Ukraine.
The campaign, which security researchers link to the long-running Operation DreamJob, uses sophisticated phishing lures disguised as recruitment offers from major aerospace companies to infiltrate sensitive military production networks.
Cyber analysts at ESET identified the malware strain ScoringMathTea as the group’s primary tool in the campaign. Once installed, the malware provides full system access, allowing attackers to exfiltrate proprietary drone schematics, manufacturing data, and operational control software critical to Europe’s defense supply chain.
INTELLIGENCE TARGETING ACROSS THE DRONE SECTOR
ESET’s threat research team confirmed that at least three European defense contractors — each responsible for manufacturing advanced UAV systems — were directly targeted between May and August 2025. One of the compromised entities reportedly produces two drone models currently deployed in Ukraine, suggesting Lazarus’ intent to reverse-engineer or enhance its own battlefield drone capabilities.
According to ESET analyst Alexis Rapin, one of the companies attacked also plays a key role in the supply chain for single-rotor UAVs, a class of aircraft North Korea has been developing domestically. The timing aligns with reports of North Korean troops appearing on the front lines in Russia’s Kursk region, where captured communications revealed their use of reconnaissance drones to coordinate artillery fire with Russian forces.
The overlap between cyber-theft and battlefield application underscores a broader pattern: Pyongyang’s digital operations directly fuel its kinetic warfare and foreign military support.
OPERATION DREAMJOB — AN OLD CAMPAIGN WITH NEW TARGETS
The Operation DreamJob campaign, active since 2020, relies on social engineering through fake job offers sent via spear-phishing emails.
In this latest wave, Lazarus operatives posed as recruiters from aerospace firms, including those tied to Western defense alliances. The emails carried PDF attachments containing embedded ScoringMathTea payloads, masked as job descriptions for high-profile engineering positions.
Once opened, the malware establishes persistence, enumerates system architecture, and exfiltrates sensitive data, while using encrypted Telegram-based command channels to maintain contact with Lazarus-controlled servers.
ESET traced the malware’s lineage back to October 2022, when ScoringMathTea was deployed in similar recruitment-themed attacks against organizations in Portugal, Germany, India, Poland, and Italy. The group’s continued use of identical tactics — coupled with customized payloads — demonstrates its operational consistency and discipline.
“Lazarus has maintained a consistent modus operandi, deploying its preferred main payload, ScoringMathTea, and using similar methods to trojanize open-source applications,” said ESET researcher Peter Kálnai, who led the investigation.
STRATEGIC IMPLICATIONS — CYBER WARFARE AND MILITARY SUPPLY LINES
The campaign’s targeting of drone manufacturers is no coincidence. Drones have become one of the most valuable assets in the Russia–Ukraine conflict, and by extension, a point of intense global espionage.
For North Korea, access to European UAV schematics and flight-control technology would represent a major leap forward — enabling both reverse engineering and export-based replication for its own military-industrial complex.
This operation also signals an expanding cooperation pattern between Pyongyang and Moscow. While Russia supplies physical battleground access and resources, North Korea contributes cyber capabilities and potentially low-cost military labor — a hybrid alliance that merges physical warfare with digital infiltration.
ESET’s findings coincide with intelligence that North Korean operatives are actively attempting to integrate captured or stolen Western drone technologies into their domestic weapons programs.
SCORINGMATHTEA — THE ESPIONAGE CORE
ScoringMathTea acts as a modular surveillance implant designed to collect network intelligence, user credentials, and internal documentation before opening a channel for further payload deployment.
The malware’s evolution shows Lazarus’ continued preference for customized payload loaders that disguise themselves within job-related applications or legitimate utilities, allowing long-term persistence within sensitive environments.
By combining social engineering precision with encrypted C2 (command-and-control) communications, ScoringMathTea enables Lazarus to maintain stealth even against updated EDR and intrusion detection systems.
The group’s operational sophistication reinforces why it remains one of the most difficult threat actors to fully neutralize.
TRJ VERDICT
The Lazarus Group’s renewed focus on European drone manufacturers confirms what many in the cybersecurity world already understand: digital warfare is now industrial warfare.
These aren’t random phishing campaigns — they are targeted state-aligned espionage operations built to erode the technological edge of Western defense contractors.
Each stolen schematic, each compromised UAV control module, represents more than data — it’s a transfer of battlefield advantage.
The deeper reality is that North Korea’s cyber program no longer operates in isolation; it’s now embedded within a global conflict network, moving intelligence from inbox to battlefield in real time.
Every stolen design is a future weapon. Every ignored email could be a breach in national defense.
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 1 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed
🔥 Kindle Edition 👉 https://a.co/d/9EoGKzh
🔥 Paperback 👉 https://a.co/d/9EoGKzh
🔥 Hardcover Edition 👉 https://a.co/d/0ITmDIB
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 2 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed just like the first one.
🔥 Kindle Edition 👉 https://a.co/d/1xlx7J2
🔥 Paperback 👉 https://a.co/d/a7vFHN6
🔥 Hardcover Edition 👉 https://a.co/d/efhu1ON
Get your copy today and experience poetry like never before. #InkAndFire #PoetryUnleashed #FuelTheFire
🚨 NOW AVAILABLE! 🚨
📖 THE INEVITABLE: THE DAWN OF A NEW ERA 📖
A powerful, eye-opening read that challenges the status quo and explores the future unfolding before us. Dive into a journey of truth, change, and the forces shaping our world.
🔥 Kindle Edition 👉 https://a.co/d/0FzX6MH
🔥 Paperback 👉 https://a.co/d/2IsxLof
🔥 Hardcover Edition 👉 https://a.co/d/bz01raP
Get your copy today and be part of the new era. #TheInevitable #TruthUnveiled #NewEra
🚀 NOW AVAILABLE! 🚀
📖 THE FORGOTTEN OUTPOST 📖
The Cold War Moon Base They Swore Never Existed
What if the moon landing was just the cover story?
Dive into the boldest investigation The Realist Juggernaut has ever published—featuring declassified files, ghost missions, whistleblower testimony, and black-budget secrets buried in lunar dust.
🔥 Kindle Edition 👉 https://a.co/d/2Mu03Iu
🛸 Paperback Coming Soon
Discover the base they never wanted you to find. TheForgottenOutpost #RealistJuggernaut #MoonBaseTruth #ColdWarSecrets #Declassified
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
One thing this world certainly does NOT need is North Korea having better plans to build any kind of war machine. It also doesn’t need expanding cooperation between Pyongyang and Moscow.
As you stated: “Each stolen schematic, each compromised UAV control module, represents more than data — it’s a transfer of battlefield advantage.” The Ukraine can’t afford to give up any battlefield advantage. I hope they can stop the leaks.
Thank you for the story, John.
You’re very welcome, Chris — that’s the real danger behind this kind of cyber espionage. Every stolen design or compromised control system doesn’t just represent a breach; it represents capability transfer — the kind that can tip balance on the battlefield.
North Korea’s growing coordination with Moscow only amplifies that concern. When rogue states begin sharing intelligence, resources, and stolen defense data, it turns isolated operations into joint escalation. And as you said, Ukraine can’t afford that kind of loss — not when every UAV schematic equates to another tactical edge on the front lines.
Appreciate your insight, Chris — always greatly appreciated. 😎
Thank you for your reply, John, and I hope your Saturday is off to a great start! Just thinking about the connections between N. Korea and Russia make me cringe. The N. Korean government is so cruel to its own citizens. The people suffer while the government spends huge amounts of money on become a major military power. I wish them the worst in these efforts and I hope the people of that country will someday gain some of the freedoms that we enjoy here in the U.S.
You’re absolutely right, Chris — the relationship between Pyongyang and Moscow is one of the most troubling developments we’ve seen lately. North Korea’s leadership has proven time and again that it’s willing to sacrifice its own people’s well-being to advance its military ambitions, and that kind of alliance only strengthens authoritarian leverage on the global stage.
My Saturday’s been good so far, thank you for asking. You said it perfectly — while ordinary citizens there struggle for basic survival, the regime funnels resources into weapons and warfare. It’s hard to watch, especially knowing that so much of that suffering is preventable.
Like you, I hope one day the people of North Korea can experience the same freedoms we often take for granted. Thank you, as always, Chris — your empathy and insight shine through every time. I hope your weekend’s off to a peaceful start as well 😎
Thank you for your kind words and for your reply, John. I’m glad to hear that your weekend is going well so far. I hope you have a great Sunday.
There is no excuse for the way N. Korean leaders treat their people. There must be a great deal of resentment built up over the years that is hidden. What else can they do? If they rebel they die or have something even worse happen to them.
Thanks for your kind words. I wish the best for you and your family!