Operation DreamJob hits Europe’s UAV supply chain: What DFIR teams need to collect, hunt, and block

4n6 Beat
8 min read

ESET documented a late‑March through mid‑2025 surge of Operation DreamJob activity attributed to North Korea–aligned Lazarus, targeting multiple European defense companies — including firms that build UAV components and UAV software — to steal proprietary designs and manufacturing know‑how. Initial access relied on classic “dream job” lures and trojanized readers/loaders; later stages delivered ScoringMathTea, a Lazarus RAT with ~40 commands. ESET links the focus on UAV know‑how to North Korea’s push to scale its domestic drone program. (ESET WeLiveSecurity). (welivesecurity.com)

ESET’s press release confirms European targeting across Central and Southeastern Europe and attributes the campaign to a new DreamJob wave featuring trojanized open‑source projects and ScoringMathTea. (ESET newsroom). (eset.com)

Contextually, open reporting throughout 2024–2025 has described North Korea fielding Saetbyol‑4/‑9 UAVs that mimic U.S. Global Hawk and MQ‑9 designs, while analysis suggests they lack comparable sensors and systems — a gap espionage might seek to close. (CSIS Beyond Parallel; RFA). (beyondparallel.csis.org)

Execution chains and notable tooling

ESET observed layered chains — decoys → droppers/loaders → downloaders → ScoringMathTea — with reflective loading and disk‑less payloads until late stage. Loaders search the filesystem or registry for the next stage, decrypt with AES‑128 or ChaCha20, and load into memory using MemoryModule; in‑the‑wild samples included a trojanized MuPDF reader, QuanPinLoader, DirectX‑wrapper–based loaders, a trojanized libpcre 8.45, and BinMergeLoader downloaders. (ESET blog). (welivesecurity.com)

One dropper bears the internal name DroneEXEHijackingLoader.dll, and side‑loading combos repeatedly leverage legitimate RemoteApp components, notably wksprt.exe and wkspbroker.exe, to load webservices.dll or radcui.dll from unusual paths. (ESET blog). (welivesecurity.com)

BinMergeLoader is assessed as conceptually similar to Mandiant’s 2024 MISTPEN (a Notepad++/binhex‑derived backdoor) and leverages Microsoft Graph with API tokens for C2/logistics, living among trusted cloud traffic. (ESET blog; Mandiant/Google Cloud on UNC2970 & MISTPEN; SC Media overview of Graph abuse). (welivesecurity.com)

ScoringMathTea (aka Microsoft’s “ForestTiger” cluster) has been tracked since at least 2022 and publicly discussed by Kaspersky in 2023 and Microsoft in October 2023, with capabilities to manipulate files/processes, gather system info, and open TCP connections for tasking. (ESET blog; Microsoft Security Blog – Diamond Sleet/ForestTiger). (welivesecurity.com)

ESET’s write‑up also enumerates ATT&CK mappings for the campaign (e.g., T1574.002 side‑loading; T1204.002 user execution via trojanized PDF readers) and illustrates C2 hosted on compromised WordPress sites under themes/plugins paths (e.g., .../wp-content/plugins/.../forward.php). (ESET blog). (welivesecurity.com)

For broader situational context, media and ESET note this activity coincided with reports of North Korean troop deployments to Russia’s Kursk region — a period in which Pyongyang’s interest in Western battlefield systems would be strategically aligned. (ESET blog; Reuters; AP). (welivesecurity.com)

File system and process artifacts you can collect today

Prioritize these host pivots from ESET’s table and narrative:

  • Side‑loading pairs and odd install roots

    • Parent binaries: wksprt.exe and wkspbroker.exe executing from userland or uncommon locations. (ESET blog). (welivesecurity.com)
    • Malicious DLLs: webservices.dll and radcui.dll (proxy‑export sets), sometimes standing in for trojanized OSS modules. (ESET blog). (welivesecurity.com)
    • Location folders called out as unusual for the legit apps:
      • %ALLUSERSPROFILE%\EMC\
      • %ALLUSERSPROFILE%\Adobe\
      • %APPDATA%\Microsoft\RemoteApp\
      • Occasional adhoc %ALLUSERSPROFILE%\ subfolders for DirectX wrapper side‑loads (e.g., d3d8.dll, ddraw.dll). (ESET blog). (welivesecurity.com)

  • Internal naming, PDB breadcrumbs, and OSS trojanization

    • Internal DLL name: DroneEXEHijackingLoader.dll within certain droppers. (ESET blog). (welivesecurity.com)
    • PDB path example indicating intent to load under wksprt: E:\Work\Troy\안정화\wksprt\comparePlus-master\Notepad++\plugins\ComparePlus\ComparePlus.pdb. (ESET blog). (welivesecurity.com)
    • Trojanized projects used as loaders/downloaders: Notepad++ plugins NPPHexEditor and ComparePlus; WinMerge plugins DisplayBinaryFiles and HideFirstLetter; DirectX Wrappers; libpcre 8.45; TightVNC Viewer; MuPDF; a Sample IME–derived QuanPinLoader. (ESET blog). (welivesecurity.com)

  • Stage handling and memory

    • Droppers/loaders decrypt next stages (AES‑128 or ChaCha20) and reflectively map via MemoryModule; main payload remains encrypted on disk. Expect few or no on‑disk plaintext bytes for ScoringMathTea. (ESET blog). (welivesecurity.com)

Network and cloud pivots

  • Outbound HTTP(S) to compromised WordPress sites under /wp-content/themes/ or /wp-content/plugins/ hosting C2 stagers or handlers (example observed path to gravityforms/forward.php). (ESET blog). (welivesecurity.com)
  • Early infrastructure name source for ScoringMathTea: www.scoringmnmathleague[.]org referenced in ESET’s naming notes. (ESET blog). (welivesecurity.com)
  • Graph abuse indicators consistent with MISTPEN‑style tradecraft: OAuth token refresh against login.microsoftonline.com followed by Graph OneDrive interactions such as v1.0/me/drive/root:/... from processes not expected to perform cloud file ops (e.g., side‑loaded plugin DLL contexts). (Mandiant/Google Cloud; SC Media). (cloud.google.com)

Practical hunts (KQL/Sysmon/Sigma)

  • Device ImageLoad vs. suspicious parents and DLLs
// MDE Advanced Hunting
DeviceImageLoadEvents
| where InitiatingProcessFileName in~ ("wksprt.exe","wkspbroker.exe")
| where FileName in~ ("webservices.dll","radcui.dll","d3d8.dll","ddraw.dll")
| where FolderPath has_any ("\\ProgramData\\Adobe","\\ProgramData\\EMC","\\AppData\\Roaming\\Microsoft\\RemoteApp","\\ProgramData\\")
| summarize dcount(DeviceId), any(ReportId) by InitiatingProcessAccountName, InitiatingProcessParentFileName, InitiatingProcessFolderPath, FileName, FolderPath
  • Unusual “office/utility” apps side‑loading DLLs from ProgramData/AllUsers
DeviceFileEvents
| where FolderPath has_any ("C:\\ProgramData\\Adobe","C:\\ProgramData\\Oracle","C:\\ProgramData\\")
| where InitiatingProcessFileName in~ ("PresentationHost.exe","colorcpl.exe","fixmapi.exe","tabcal.exe","wksprt.exe","wkspbroker.exe")
| where FileName endswith ".dll"
  • Graph API abuse from endpoints (proxy/firewall logs normalized)
title: Suspicious Microsoft Graph OneDrive Usage From Non-Office Process
logsource:
  product: proxy
  service: http
  category: webserver
selection:
  url|contains:
    - "graph.microsoft.com/v1.0/me/drive"
  user_agent|contains:
    - "WinHTTP"  # Many loaders/droppers use raw WinHTTP/WinInet
  process|contains:
    - "wksprt.exe"
    - "wkspbroker.exe"
    - "notepad++.exe"
    - "WinMergeU.exe"
condition: selection
fields: [src_ip, dest_ip, url, process, user_agent]
level: high
references:
  - https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader
  • WordPress plugin/theme C2 patterns
title: Outbound to WordPress Themes/Plugins From Workstations
logsource:
  product: proxy
selection:
  url|contains:
    - "/wp-content/themes/"
    - "/wp-content/plugins/"
condition: selection
level: medium
references:
  - https://www.welivesecurity.com/en/eset-research/gotta-fly-lazarus-targets-uav-sector/
  • Memory forensics triage
    • Inspect wksprt.exe and wkspbroker.exe address spaces for reflectively loaded modules lacking on‑disk backing, high‑entropy regions, or export sets proxying to Windows libs plus extra exports (dual‑nature DLLs). ESET notes droppers export both proxy stubs and the OSS project’s symbols. (ESET blog). (welivesecurity.com)

Detection and containment guidance

  • Control initial access

    • Validate recruiter outreach on secondary channels; block ISO/IMG and double‑extension archive lures associated with DreamJob; detonate decoy PDF readers in sandboxes. Historic DreamJob tradecraft has included LinkedIn‑driven lures and trojanized readers and coding challenges. (ClearSky 2020; ESET 2023 Spanish aerospace case). (clearskysec.com)

  • Stop side‑loading chains

    • Block or monitor execution of wksprt.exe and wkspbroker.exe outside their normal directories; alert on DLL loads of webservices.dll and radcui.dll from user‑writable paths; enforce DLL SafeSearch and application control policies on RemoteApp components. (ESET blog). (welivesecurity.com)

  • Cloud hardening against Graph‑based C2

    • Require Conditional Access for service principals; restrict Graph permissions and audit token grant events; monitor anomalous OneDrive file API patterns from non‑Office processes; rotate/revoke refresh tokens when Graph abuse is suspected. Mandiant’s MISTPEN analysis shows token‑refresh then Graph file ops; defenders should alert on this sequence. (Mandiant/Google Cloud; SC Media). (cloud.google.com)

  • C2 egress controls

    • Denylist known indicators and pattern‑match WordPress plugin/theme paths; prefer TLS inspection for outbound to unexpected CMS endpoints from engineering workstations. ESET documented C2 components staged under WordPress plugin directories. (ESET blog). (welivesecurity.com)

  • RAT containment

    • Microsoft maps this RAT family under the ForestTiger detection name; ensure Defender and EDR signatures are current; quarantine hosts exhibiting ForestTiger/ScoringMathTea behavior and perform memory capture before reboot. (Microsoft Security Blog). (microsoft.com)

Incident response workflow (targeted at UAV/defense engineering networks)

  1. Scoping and collection
  1. Containment
  1. Forensic analysis
  • Map execution chains to the OSS project used (e.g., DirectX Wrappers, Notepad++ ComparePlus/NPPHexEditor, WinMerge plugins) to generate targeted hunts for sibling implants. (ESET blog). (welivesecurity.com)
  • Examine DLL export tables in suspect modules for combined proxy exports plus project‑specific exports (dual signature); verify MemoryModule‑style PE loading in memory. (ESET blog). (welivesecurity.com)
  1. Eradication and hardening

Minimal YARA to catch developer‑oriented droppers (heuristic)

Use with caution; verify locally before deployment.

rule Lazarus_DreamJob_OSS_Trojanization_Heuristic_v1
{
  meta:
    author = "DFIR analyst"
    description = "Heuristic hits on internal names/paths noted by ESET"
    reference = "https://www.welivesecurity.com/en/eset-research/gotta-fly-lazarus-targets-uav-sector/"
  strings:
    $pdb1 = "E:\\Work\\Troy\\" ascii nocase
    $kor = "\xBE\xD3\xC1\xF6\xC7\xD8"  // 안정화 (UTF-8 in bytes may vary; adapt as needed)
    $iname = "DroneEXEHijackingLoader.dll" ascii
    $expA = "exportfun00" ascii
    $expB = "fun00" ascii
  condition:
    2 of ($pdb1,$kor,$iname,$expA,$expB)
}

Reference: ESET observed the DroneEXEHijackingLoader.dll internal name, the 안정화 string in a PDB path tied to ComparePlus, and exports used for proxying/loader chaining. (ESET blog). (welivesecurity.com)

Indicators and patterns to seed detections

  • Host

    • Parents: wksprt.exe, wkspbroker.exe (unexpected paths or command‑lines). (ESET). (welivesecurity.com)
    • DLLs: webservices.dll, radcui.dll, DirectX wrapper DLLs (e.g., d3d8.dll, ddraw.dll) living beside the parents in %ALLUSERSPROFILE% or %APPDATA% subfolders. (ESET). (welivesecurity.com)
    • Known dropper hash: SHA‑1 03D9B8F0FCF9173D2964CE7173D21E681DFA8DA4. (ESET). (welivesecurity.com)

  • Network

    • C2 on compromised WordPress under /wp-content/themes|plugins/… (example path: .../plugins/gravityforms/forward.php). (ESET). (welivesecurity.com)
    • Graph/OAuth sequence: POST to login.microsoftonline.com token endpoint followed by Graph OneDrive file API routes from non‑Office apps. (Mandiant/Google Cloud). (cloud.google.com)

  • Threat family

Why the UAV angle matters to DFIR

DreamJob has long targeted aerospace/defense, but this cluster’s explicit drone focus raises the risk that engineering workstations (CAD/CAM, firmware, controls, composites) are the first and last mile of collection. Protect those endpoints from side‑loading, and assume adversaries will live in cloud APIs that blend into normal work. (ESET blog; ClearSky 2020). (welivesecurity.com)

Takeaways

  • Hunt now for side‑loading of webservices.dll/radcui.dll by wksprt.exe/wkspbroker.exe under %ALLUSERSPROFILE% and %APPDATA% paths; memory‑dump those processes for reflectively mapped modules. (ESET). (welivesecurity.com)
  • Inspect proxy and EDR telemetry for outbound to /wp-content/themes|plugins/ and for Graph OneDrive API use by non‑Office processes; revoke suspect tokens and restrict Graph scopes for service principals. (ESET; Mandiant). (welivesecurity.com)
  • Push allow‑listing and DLL SafeSearch on engineering endpoints; standardize trusted PDF readers; block execution from user‑writable ProgramData/AllUsers subdirectories. (ESET). (welivesecurity.com)
  • If you identify ScoringMathTea/ForestTiger activity, isolate, preserve memory, and follow Microsoft’s ForestTiger containment/IOC guidance. (Microsoft). (microsoft.com)

Sources / References