October 27, 2025 ESET researchers say North Korea’s Lazarus hacking group has launched a new wave of cyberattacks on defence contractors in Central and Southeastern Europe, focusing on companies that build unmanned aerial vehicles (UAVs).

The campaign, part of the group’s long-running “Operation DreamJob,” used fake job offers and trojanized open-source projects on GitHub to deliver ScoringMathTea, a remote-access trojan (RAT) that gives attackers full control over infected machines. ESET says the suspected goal was to steal proprietary data and manufacturing know-how, particularly related to drone technology.

ESET noted that the attacks coincided with reports of North Korean troops fighting alongside Russian forces in Ukraine’s Kursk region, raising the possibility that Pyongyang sought information on Western-made systems encountered on the battlefield. “We believe that it is likely that Operation DreamJob was — at least partially — aimed at stealing proprietary information and manufacturing know-how regarding UAVs,” said ESET researcher Peter Kálnai.

According to ESET, one targeted company produces at least two drone models currently deployed in Ukraine. Another is part of the supply chain for advanced single-rotor aircraft, a design that North Korea is reportedly developing. The attack campaign underscores Pyongyang’s reliance on intellectual property theft to accelerate its weapons programs.

Lazarus, also known as Hidden Cobra, has been linked to North Korea since at least 2009 and is responsible for major incidents involving espionage, sabotage and financial theft. ESET’s full analysis, “Gotta Fly: Lazarus targets the UAV sector,” is available on its WeLiveSecurity blog.