Gotta fly: Lazarus targets the UAV sector
2025-10-23 • ESET •
https://www.welivesecurity.com/en/eset-research/gotta-fly-lazarus-targets-uav-sector/
ESET attributes a new wave of Operation DreamJob activity to North Korea-aligned Lazarus with high confidence, citing fake job-offer social engineering, trojanized open-source projects, DLL side-loading, and the ScoringMathTea RAT. The observed intrusions targeted three European defense-sector companies, including organizations involved in aircraft components, metal engineering, and UAV-related technology. Victims were lured with a decoy job description and a trojanized PDF reader, after which droppers using the internal name DroneEXEHijackingLoader.dll led to ScoringMathTea deployment through compromised C2 servers. The campaign matters because ESET connects the targeting to possible collection of proprietary UAV know-how as North Korea expands its drone program and gains wartime exposure through Russia’s war against Ukraine.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 23.111.133.162 | 2025-10-23 | 2025-11-20 |
| URL | https://coralsunmarine.com/wp-c… | 2025-10-23 | 2025-11-20 |
| DOMAIN | coralsunmarine.com | 2025-10-23 | 2025-11-20 |
| HASH | 03d9b8f0fcf9173d2964ce7173d21e6… | 2025-10-23 | 2025-10-23 |
| URL | https://www.mnmathleague.org/ck… | 2025-10-23 | 2025-10-23 |
| URL | https://galaterrace.com/wp-cont… | 2025-10-23 | 2025-10-23 |
| URL | https://www.anvil.org.ph/list/i… | 2025-10-23 | 2025-10-23 |
| URL | https://partnerls.pl/wp-content… | 2025-10-23 | 2025-10-23 |
| URL | https://mediostresbarbas.com.ar… | 2025-10-23 | 2025-10-23 |
| URL | https://pierregems.com/wp-conte… | 2025-10-23 | 2025-10-23 |
| URL | https://www.bandarpowder.com/pu… | 2025-10-23 | 2025-10-23 |
| URL | https://www.scgestor.com.br/wp-… | 2025-10-23 | 2025-10-23 |
| URL | https://kazitradebd.com/wp-cont… | 2025-10-23 | 2025-10-23 |
| URL | https://ecudecode.mx/redsocial/… | 2025-10-23 | 2025-10-23 |
| URL | https://spaincaramoon.com/reale… | 2025-10-23 | 2025-10-23 |
| URL | https://trainingpharmacist.co.u… | 2025-10-23 | 2025-10-23 |
| URL | https://oldlinewoodwork.com/wp-… | 2025-10-23 | 2025-10-23 |
| DOMAIN | mediostresbarbas.com.ar | 2025-10-23 | 2025-10-23 |
| DOMAIN | trainingpharmacist.co.uk | 2025-10-23 | 2025-10-23 |
| DOMAIN | galaterrace.com | 2025-10-23 | 2025-10-23 |
| DOMAIN | kazitradebd.com | 2025-10-23 | 2025-10-23 |
| DOMAIN | ecudecode.mx | 2025-10-23 | 2025-10-23 |
| DOMAIN | pierregems.com | 2025-10-23 | 2025-10-23 |
| DOMAIN | webdock.io | 2025-10-23 | 2025-10-23 |
| DOMAIN | deft.com | 2025-10-23 | 2025-10-23 |
| DOMAIN | partnerls.pl | 2025-10-23 | 2025-10-23 |
| DOMAIN | spaincaramoon.com | 2025-10-23 | 2025-10-23 |
| DOMAIN | oldlinewoodwork.com | 2025-10-23 | 2025-10-23 |
| IPv4 | 104.21.80.1 | 2025-10-23 | 2025-10-23 |
| IPv4 | 152.42.239.211 | 2025-10-23 | 2025-10-23 |
| IPv4 | 185.148.129.24 | 2025-10-23 | 2025-10-23 |
| IPv4 | 95.217.119.214 | 2025-10-23 | 2025-10-23 |
| IPv4 | 45.148.29.122 | 2025-10-23 | 2025-10-23 |
| IPv4 | 193.39.187.165 | 2025-10-23 | 2025-10-23 |
| IPv4 | 70.32.24.131 | 2025-10-23 | 2025-10-23 |
| IPv4 | 66.29.144.75 | 2025-10-23 | 2025-10-23 |
| IPv4 | 108.181.92.71 | 2025-10-23 | 2025-10-23 |
| IPv4 | 75.102.23.3 | 2025-10-23 | 2025-10-23 |
| IPv4 | 77.55.252.111 | 2025-10-23 | 2025-10-23 |
| IPv4 | 172.67.193.139 | 2025-10-23 | 2025-10-23 |
| IPv4 | 104.247.162.67 | 2025-10-23 | 2025-10-23 |