North Korean Hackers Target European Drone Makers in Sophisticated Espionage Campaign

North Korean state-sponsored hackers are actively targeting European defense contractors in a cyberespionage campaign designed to steal drone manufacturing secrets, security researchers revealed this week. The attacks, linked to the notorious Lazarus Group, focus specifically on companies developing unmanned aerial vehicle technology that’s currently being deployed in Ukraine.

ESET researchers discovered the campaign—dubbed Operation Dream Job—targeting at least three European defense firms since late March 2025. The timing aligns precisely with North Korea’s documented push to expand its domestic drone manufacturing capabilities, including construction of seven new UAV hangars at Panghyon Airbase that DroneXL previously reported in September 2024.

The revelations underscore a critical vulnerability facing the global drone industry: sophisticated nation-state actors are actively stealing Western UAV technology through social engineering attacks that exploit the human factor rather than technical security flaws alone.

How the Attacks Work: Fake Jobs Deliver Real Malware

The Lazarus Group’s modus operandi revolves around an insidious social engineering tactic—offering drone engineers lucrative positions at prestigious aerospace and defense companies. Victims receive what appears to be a legitimate job description document, along with a PDF reader to open it. The catch? The PDF reader is trojanized with malware.

“The dominant theme is a lucrative but faux job offer with a side of malware: the target receives a decoy document with a job description and a trojanized PDF reader to open it,” ESET researchers Peter Kálnai and Alexis Rapin explained in their technical report.

The attackers weaponized legitimate open-source software including MuPDF viewer, TightVNC, Notepad++ plugins, and WinMerge. Once executed, these trojanized applications deploy a sophisticated malware suite designed to give hackers complete control over compromised systems.

The smoking gun? Every dropper file in the attacks contained an internal DLL named “DroneEXEHijackingLoader.dll”—an explicit indication that UAV technology was the primary target.

Target Profile: Companies Supporting Ukraine’s Defense

The three targeted European companies span a metal engineering firm in Southeastern Europe, an aircraft components manufacturer in Central Europe, and a defense contractor also in Central Europe. While ESET didn’t name the specific victims, researchers confirmed that at least two are heavily involved in UAV development.

“We have found evidence that one of the targeted entities is involved in the production of at least two UAV models that are currently employed in Ukraine, and which North Korea may have encountered on the front line,” ESET’s Alexis Rapin noted.

The companies manufacture critical drone components and UAV-related software. Their products are currently deployed in Ukraine as part of European military assistance—meaning North Korean forces fighting alongside Russian troops have likely encountered these specific Western drones in combat.

This firsthand battlefield exposure appears to have motivated the cyberespionage campaign. North Korean soldiers deployed to Russia’s Kursk region have faced devastating losses from Ukrainian FPV drone attacks, as DroneXL previously reported, with North Korean troops proving particularly vulnerable due to inadequate counter-drone equipment.

The Malware Arsenal: ScoringMathTea and Beyond

Once inside target networks, the attackers deploy ScoringMathTea—a remote access trojan (RAT) that supports approximately 40 commands enabling file manipulation, process control, data exfiltration, and remote command execution.

ScoringMathTea first appeared in October 2022 and has since become Lazarus Group’s payload of choice for Operation Dream Job campaigns. According to ESET telemetry, the malware previously hit an Indian technology company (January 2023), a Polish defense firm (March 2023), a British industrial automation company (October 2023), and an Italian aerospace company (September 2025).

The 2025 campaign introduced new evasion techniques including BinMergeLoader—a sophisticated downloader that mirrors capabilities documented by Google Mandiant as MISTPEN. BinMergeLoader abuses Microsoft Graph API and authentication tokens to fetch additional malicious payloads while evading detection.

“For nearly three years, Lazarus has maintained a consistent modus operandi, deploying its preferred main payload, ScoringMathTea, and using similar methods to trojanize open-source applications,” the ESET researchers observed. “This predictable, yet effective, strategy delivers sufficient polymorphism to evade security detection, even if it is insufficient to mask the group’s identity and obscure the attribution process.”

North Korea’s Drone Ambitions: Reverse Engineering at Scale

The cyberespionage campaign directly supports North Korea’s aggressive push to develop indigenous UAV capabilities through intellectual property theft and reverse engineering.

Pyongyang has unveiled two flagship drone models that bear striking resemblances to American designs. The Saetbyol-4 reconnaissance drone, with a wingspan of approximately 115 feet (35 meters), mimics the Northrop Grumman RQ-4 Global Hawk. The smaller Saetbyol-9 combat drone, spanning about 66 feet (20 meters), resembles the General Atomics MQ-9 Reaper.

Satellite imagery analysis by the Center for Strategic and International Studies (CSIS) revealed that North Korea constructed seven new UAV hangars at Panghyon Airbase in 2024—each measuring approximately 148 feet by 131 feet (45 meters by 40 meters), large enough to house both Saetbyol models.

North Korean leader Kim Jong Un personally oversaw drone testing at Panghyon in March and September 2025, emphasizing that “unmanned equipment and artificial intelligence should be top-prioritized and developed in modernizing the armed forces,” according to state media reports.

However, Western analysts caution that despite the visual similarities, North Korea’s drones lack the advanced sensor suites, satellite communications, and propulsion systems found in their American counterparts. The Saetbyol designs appear to rely heavily on reverse-engineered airframes combined with domestic and Chinese electronics.

“Despite widespread claims that North Korea has been building copies of U.S. drones such as the RQ-4B Global Hawk and the MQ-9A Predator, the North Korean drones are not clones,” CSIS researchers emphasized. They’re “presently determined as not carrying advanced equipment similar to that found in U.S. UAVs.”

That’s precisely where stolen Western manufacturing know-how becomes invaluable—filling the technology gaps that reverse engineering alone cannot solve.

Broader Industry Implications: No Company Is Safe

The European defense contractor attacks represent just the latest chapter in a long-running pattern of nation-state cyberespionage targeting the global drone industry.

The Lazarus Group has been operational since at least 2009 and is also tracked under the names Diamond Sleet, Hidden Cobra, APT-Q-1, Black Artemis, Zinc, TEMP.Hermit, and UNC2970. The group gained international notoriety for the 2014 Sony Pictures Entertainment hack, the 2017 WannaCry ransomware outbreak, and numerous cryptocurrency heists totaling hundreds of millions of dollars.

Operation Dream Job campaigns have targeted not just defense contractors but also cryptocurrency firms, software developers, journalists, security researchers, and media companies. The fake recruitment lures prove remarkably effective despite widespread media coverage of the tactic.

“Even with widespread media coverage of Operation DreamJob and its use of social engineering, the level of employee awareness in sensitive sectors—technology, engineering, and aerospace—appears to remain insufficient,” ESET researchers noted.

The vulnerability extends beyond European companies. As DroneXL extensively documented in July 2025, Silicon Valley’s drone startup ecosystem faces its own espionage challenges, with investigations uncovering planted employees, burner phones, and sabotage involving U.S. companies competing for Pentagon contracts.

DroneXL’s Take

This isn’t the first time we’ve seen nation-state actors targeting drone technology, but the explicit focus on UAV manufacturing know-how marks an escalation. When we covered North Korea’s drone hangar expansion at Panghyon Airbase last year, it was clear Pyongyang was serious about scaling up production. Now we know they’re not just building infrastructure—they’re actively stealing the technical blueprints to make it work.

The timing is particularly significant. North Korean troops are experiencing modern drone warfare firsthand in Ukraine, getting decimated by FPV drones while using primitive counter-drone tactics like “living human bait.” That battlefield education is clearly driving intelligence priorities back in Pyongyang. They’re seeing which Western drones are most effective in combat, then targeting the companies that make them.

What makes this campaign especially insidious is how it exploits the human element. No amount of network security stops an engineer from opening what appears to be a legitimate job offer from a prestigious aerospace company. The fake recruitment angle is brilliant precisely because it targets the ambitious, skilled employees that defense contractors can’t afford to lose—and can’t afford to have compromised.

The drone industry needs to wake up to this threat. When we covered Silicon Valley’s espionage problems earlier this year, it was clear that even U.S. companies lobbying against Chinese manufacturers have their own serious security vulnerabilities. Now European defense contractors are learning the same lesson the hard way. The irony is thick: while Western governments obsess over DJI’s alleged data security risks, nation-state hackers are simply stealing proprietary UAV technology directly from defense contractors through email.

The broader question is whether Western companies and governments are moving fast enough to counter these threats. North Korea is building drone factories. China is covertly supplying drone engines to Russia through shell companies. Meanwhile, Ukrainian hackers are striking back against Russian drone suppliers, erasing terabytes of manufacturing data. And nation-state hackers are systematically targeting the companies developing cutting-edge UAV technology. The global drone supply chain has become a cyberwarfare battleground.

Yet the defense industry is still falling for fake job offers sent via email. That’s not a technology problem—that’s a human awareness problem.

If there’s a silver lining, it’s that ESET caught this campaign and published detailed indicators of compromise. Defense contractors now have the technical details needed to detect and block these specific attacks. But Lazarus Group has been running Operation Dream Job for five years with basically the same playbook—because it keeps working.

The drone industry’s intellectual property is under assault from multiple directions simultaneously. We’ve documented Chinese nationals hacking drones to photograph U.S. military bases, Chinese manufacturers secretly collaborating with sanctioned Russian weapons makers, and now North Korean intelligence services running sophisticated social engineering campaigns against European defense firms. The common thread? Western drone technology is valuable enough to justify sustained, multi-year espionage operations.

Companies need to treat cybersecurity as seriously as they treat physical security at their facilities. That means employee training on social engineering, robust endpoint detection systems, network segmentation, and assuming that sophisticated attackers are already trying to get in. Because they are. And they’re patient, well-funded, and backed by governments that view UAV technology as strategic military assets worth any investment to acquire.

The next engineer who receives an exciting job offer from a prestigious aerospace company needs to pause and verify before clicking. Because in the drone industry, your dream job might be Pyongyang’s intelligence operation.

What do you think? Share your thoughts in the comments below.