North Korea–Linked Lazarus Group Launches Cyber Espionage Campaign Against European Drone Manufacturers

The Lazarus Group — also known in cybersecurity communities as Hidden Cobra — is a highly capable, state-linked threat actor affiliated with North Korea’s intelligence apparatus. It has a long history of high-impact operations, including espionage, destructive malware, and financially motivated hacks.

What Is Happening Now?

A new wave of cyberattacks is actively targeting European drone manufacturers and defense contractors.
The campaign, tracked under the codename Operation DreamJob, appears to be focused on stealing technical know-how and manufacturing data related to unmanned aerial vehicles (UAVs) — i.e., drones.

Key points:

Targets include at least three European companies involved in drone design, components, or UAV-related technology.
These firms are reportedly located in Central and Southeastern Europe and operate in the defense and aerospace sectors.
The incidents observed began in late March 2025 and continue into early 2026.

How the Attacks Work

The Lazarus attackers use social engineering and malware rather than conventional technical exploits:

Fake Job Offers: Employees receive spoofed recruitment emails promising lucrative positions (“dream jobs”) at well-known defense or aerospace firms.
Trojanized Files: The lure includes malicious documents or software (e.g., PDF readers, open-source tools) that implant malware when opened.
Remote Access Payloads: Once opened, the malware (notably a remote access trojan dubbed ScoringMathTea) gives attackers persistent control and the ability to exfiltrate data.

This social-engineering tactic — offering “jobs” to lure victims — has been a signature part of Lazarus operations for several years and proves effective at getting targets to run malicious code.

Motivations Behind the Campaign

Analysts believe the primary aim is cyber-espionage:

Stealing intellectual property and manufacturing know-how for drones could help North Korea accelerate its own UAV development.
This aligns with reports that North Korea is actively investing in drone programs and adapting UAV designs for its military modernization.
Some of the targeted European drone technology reportedly is deployed in Ukraine, making it a source of insights into advanced UAV systems.

Context & Broader Cyber Threat Landscape

Lazarus’s tactics — especially fake job offers — are not new but continue to evolve with trojanized delivery mechanisms.
The group has historically balanced espionage with financially motivated hacks to fund North Korean state objectives.
The focus on drone technology highlights how nation-state actors increasingly target defense supply chains for strategic advantages.

Implications for European Industry

Companies in sensitive sectors (especially aerospace and defense) are urged to:

Harden email and document-handling procedures.
Educate staff on sophisticated phishing/social engineering.
Monitor for unusual network activity and unauthorized access attempts.

Proactive defenses and threat intelligence sharing are crucial given the sophisticated and persistent nature of Lazarus operations.