Navigating_Operation_DreamJob_s_arsenal_1.pdf (2 MB)

Orange Cyberdefense investigated an August 2025 intrusion against an Asian subsidiary of a large European manufacturing organization and assessed that it aligned with Operation DreamJob and UNC2970 with medium confidence. Initial access used a targeted WhatsApp Web job lure sent to a project engineer, leading the victim to open a ZIP containing a malicious PDF, legitimate SumatraPDF executable, and sideloaded libmupdf.dll assessed as a BURNBOOK variant. The actors conducted hands-on-keyboard activity, LDAP discovery, account compromise, pass-the-hash lateral movement, and attempted deployment of TSVIPsrv.dll, assessed as a MISTPEN variant that contacted compromised SharePoint servers for C2. The report lists BURNBOOK, MISTPEN, and wordpad.dll.mui hashes plus SharePoint and compromised WordPress C2 infrastructure, showing Operation DreamJob remains active with frequently modified loaders, backdoors, and social-engineering tradecraft.