Manage your Prompts with PROMPT01 Use "THEJOAI" Code 50% OFF

DreamJob

DreamJob
Launch Date: July 8, 2026
Pricing: No Info
cybersecurity, malware analysis, threat intelligence, social engineering, data theft

North Korea's Operation DreamJob Evolves: New Malware Variants Target European Manufacturing Sector

Critical Alert:Orange Cyberdefense's CyberSOC and CSIRT teams have uncovered a new wave of attacks attributed to North Korean threat actor UNC2970, utilizing an evolved version of the long-running "Operation DreamJob" campaign. Observed in August 2025, this campaign targeted an Asian subsidiary of a major European manufacturing company, leveraging a sophisticated social engineering lure to deliver updated malware variants.

Campaign Overview and Targeting

Operation DreamJob (also known as Operation North Star or DeathNote) is one of the longest-running cyber-espionage programs attributed to the Democratic People's Republic of Korea (DPRK). The campaign specifically targets employees in the defense, manufacturing, chemical, aerospace, and technology sectors using fraudulent job posting lures.

In this specific instance, the intrusion was initiated via a WhatsApp message claiming to be a job offer for a "Project Manager" position. This social engineering tactic remains a signature method for the DreamJob campaign, designed to trick victims into downloading malicious archives.

The Infection Chain

The attack chain observed by Orange Cyberdefense followed a well-established but refined pattern:

  1. Delivery:The victim downloaded a ZIP archive containing a malicious PDF and a trojanized version of the legitimate SumatraPDF reader.
  2. Initial Execution:Opening the PDF triggered DLL sideloading, a tactic consistent with DreamJob operations since 2020.
  3. Loader Deployment:The archive included a maliciouslibmupdf.dll, identified as a recent variant of theBURNBOOKmalware family.

Evolution of BURNBOOK

Analysts compared the recoveredlibmupdf.dllto historical BURNBOOK samples and found significant similarities in function. Both versions act as loaders that read an input file, decrypt its contents, and write the result to a temporary file. However, the 2025 variant introduced specific references to artifacts previously documented in ESET's investigations, including:*wkspbroker.exe*radcui.dll*container.dat

These references suggest the intrusion chain represents a modernized branch of the same lineage, utilizing known infrastructure while adapting to current environments.

Lateral Movement and Credential Harvesting

Once the attackers gained an initial foothold, Orange Cyberdefense observed at least six hours of continuous hands-on-keyboard activity via compromised infrastructure. The threat actors executed the following actions:

  • Active Directory Reconnaissance:Multiple LDAP queries were performed to map the environment.
  • Credential Discovery:The attackers successfully identified the compromise of both a backup account and an administrative account.
  • Pass-the-Hash Exploitation:Utilizing these credentials, UNC2970 performed pass-the-hash attacks, enabling lateral movement across several servers without the need for plaintext passwords. This technique is a recurring hallmark of DreamJob operations.

Deployment of MISTPEN and Final Payload

Following lateral movement, the attackers deployedTSVIPsrv.dll, identified with high confidence as a modern variant of theMISTPENmalware family.

MISTPEN Evolution

Comparisons between the 2025 sample and a 2024 specimen from Kaspersky revealed clear evolutionary changes while maintaining core functionality:*Encryption:Both versions use AES-encrypted traffic.*Command Loops:Implementation of nearly identical opcode-based command loops.*Core Functions:Support for payload download and execution (opcode 100) and forced termination (opcode 101).

New Capability:The newest MISTPEN variant introduces a third opcode (102) for remote sleep control. This feature allows the malware to "sleep repeatedly until the computed deadline is reached," implementing remote timing control to enhance stealth and operational flexibility.

TheTSVIPsrv.dlldecrypted and executedwordpad.dll.muiin memory. This module then initiated network connections to compromised SharePoint servers to serve as Command and Control (C2) infrastructure.

From these C2 servers, the malware retrieved the final payload:Release_PvPlugin_x64.dll. This is a compact information-stealing module designed to execute entirely in memory, a technique intended to minimize forensic artifacts on the victim's system.

Challenges for Defenders

The report emphasizes that DreamJob remains difficult for defenders to investigate due to its ever-expanding malware ecosystem. The proliferation of aliases and loader families has led researchers to adopt umbrella terms likeDreamLoadersandNukeSpedto describe clusters of related malware used in these operations.

Despite the age of the campaign, the attacks remain potent due to the combination and chaining of a large number of constantly modified droppers, loaders, and simple downloaders. These components are designed to decrypt and execute more versatile malware in memory, making detection and attribution increasingly challenging.

Conclusion

This incident highlights the continued evolution of North Korean cyber-espionage capabilities. By updating their malware toolkit with features like remote sleep control and refining their social engineering lures, UNC2970 demonstrates an ongoing commitment to evading detection and maintaining access to high-value targets in the manufacturing and technology sectors.

NOTE:

This content is either user submitted or generated using AI technology (including, but not limited to, Google Gemini API, Llama, Grok, and Mistral), based on automated research and analysis of public data sources from search engines like DuckDuckGo, Google Search, and SearXNG, and directly from the tool's own website and with minimal to no human editing/review. THEJO AI is not affiliated with or endorsed by the AI tools or services mentioned. This is provided for informational and reference purposes only, is not an endorsement or official advice, and may contain inaccuracies or biases. Please verify details with original sources.

Comments

Loading...