Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Bans Apps Used to Remotely Disable E-Rickshaws
July 3, 2026
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Home/Threats/Lazarus Hackers Actively Attacking European Drone Manufacturing Companies
Threats

Lazarus Hackers Actively Attacking European Drone Manufacturing Companies

The sophisticated North Korean-aligned hacking group Lazarus, also known as HIDDEN COBRA, has initiated a new wave of targeted attacks against European drone manufacturers and defense contractors....

David kimber
David kimber
January 26, 2026 2 Min Read
41 0

The sophisticated North Korean-aligned hacking group Lazarus, also known as HIDDEN COBRA, has initiated a new wave of targeted attacks against European drone manufacturers and defense contractors.

The campaign, tracked as Operation DreamJob, emerged in late March 2025 and specifically targets organizations developing unmanned aerial vehicle technology across Central and Southeastern Europe.

Researchers have identified this activity as part of a broader strategic effort by North Korea to accelerate its domestic drone program, particularly following increased investment in modern warfare capabilities observed in the Russia-Ukraine conflict.

The campaign represents a significant escalation in cyberespionage tactics aimed at stealing proprietary manufacturing information and intellectual property from the aerospace and defense sectors.

Three European companies have been confirmed as targets, with at least two heavily involved in designing advanced single-rotor drones and producing critical UAV components currently deployed in active conflict zones.

The timing of these attacks coincides with North Korea’s reported efforts to mass-produce combat and reconnaissance drones similar to Western models like the MQ-9 Reaper and RQ-4 Global Hawk.

Welivesecurity analysts and researchers noted that the malware infrastructure used in these attacks employs sophisticated delivery mechanisms designed to evade traditional security defenses.

Examples of 2025 Operation DreamJob execution chains delivering BinMergeLoader and ScoringMathTea (Source - Welivesecurity)
Examples of 2025 Operation DreamJob execution chains delivering BinMergeLoader and ScoringMathTea (Source – Welivesecurity)

The attack begins with social engineering, specifically using fake job offers for prestigious positions to trick employees into downloading trojanized documents.

Once executed, the malware deploys a chain of specialized tools designed to maintain persistent access and avoid detection on compromised systems.

Infection mechanism

The primary infection mechanism relies on DLL side-loading, a technique where legitimate Windows applications are exploited to load malicious libraries without triggering security alerts.

A dropper with a suspicious internal name and exports from a legitimate Microsoft library (Source - Welivesecurity)
A dropper with a suspicious internal name and exports from a legitimate Microsoft library (Source – Welivesecurity)

The attackers have incorporated their malware into trojanized versions of popular open-source software, including TightVNC Viewer, MuPDF reader, and WinMerge plugins.

One particularly revealing dropper contained the internal filename DroneEXEHijackingLoader.dll, directly referencing the attackers’ campaign focus on drone technology.

The main payload deployed across all incidents is ScoringMathTea, a remote access trojan that provides attackers complete control over compromised machines.

This sophisticated malware offers approximately 40 different commands for system manipulation, file exfiltration, and further payload deployment.

What makes ScoringMathTea particularly dangerous is its ability to remain completely encrypted on disk, only decrypting in memory during execution, making traditional file-based detection nearly impossible without advanced behavioral monitoring.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerMalwareSecurity

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

MITRE Releases New Cybersecurity Framework to Protect the Embedded Systems

Next Post

New Malware Toolkit Sends Users to Malicious Websites While the URL Stays the Same

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI Poisoning Attack Abuses SEO and Hidden HTML to Trick AI Agents
July 3, 2026
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us