Overview:
On 23 October 2025, new reporting revealed another coordinated wave of intrusions linked to Lazarus Group’s long-running “Operation DreamJob,” marking the latest escalation in cyber espionage activities against Europe’s aerospace and defense sectors. Lazarus is a cluster of North Korean-based cyber actors and is assessed as one of the most prolific advanced persistent threat (APT) groups. They have sustained a years-long series of cyber operations combining targeted social engineering, supply-chain abuse and stealthy multi-stage malware delivery.
The most recent activity reinforces a trend with direct relevance to the satellite communications industry: Threat actors are increasingly blending professional networking deception with developer-tool compromise to infiltrate sensitive engineering environments.
In the campaign observed this October, Lazarus operators posed as recruiters offering lucrative positions to mid- and senior-level engineers. Victims were contacted through LinkedIn or polished email correspondence mimicking legitimate hiring processes. Once engaged, targets received PDFs posing as job descriptions or interview materials. Opening these files initiated multi-stage loader chains delivering malware families that enabled reconnaissance, data theft and persistent access. According to ESET, victims spanned a metal engineering company in Southeastern Europe, an aircraft components manufacturer in Central Europe and a Central-European defense contractor—industries whose intellectual property holds long-term strategic value for Lazarus actors.
Operation DreamJob and Social Engineering:
Operation DreamJob pairs trust-based social engineering with technically adept malware delivery. Lazarus operators build credible recruiter identities, replicate real interview workflows and distribute professionally formatted documents to establish legitimacy. When victims open the malicious PDFs, embedded scripts initiate loader execution designed to bypass common endpoint defenses. This smooth transition from human manipulation to technical compromise is a defining feature of the campaign.
Once initial execution occurs, DreamJob proceeds through several controlled stages that minimize detection and enable tailored exploitation. Dropper components first fetch additional payloads from attacker infrastructure, followed by secondary implants that conduct reconnaissance, credential capture, and movement within the network. These implants then establish persistent access through registry, service, or scheduled task modification. Finally, data exfiltration occurs through encrypted channels or covert DNS, allowing Lazarus to extract proprietary engineering data and sensitive system information. This modular, multi-stage architecture allows the operators to remain hidden for extended periods and refine payloads to match the technical environment of each victim.
Impact on the Space Sector:
Although the latest reporting centers on terrestrial aerospace entities, the operational tradecraft directly maps to risks affecting satellite communications providers, component manufacturers and space-sector integrators. In 2024, ClearSky cybersecurity reported a DreamJob campaign targeting similar industry verticals in aviation, defense and aerospace. These environments share similar characteristics: globally distributed development teams, reliance on specialized engineering roles, extensive use of open-source tooling and multi-tier supply chains spanning both IT and OT domains. As these ecosystems converge, the attack surface expands accordingly.
State sponsored APT groups have consistently pursued foreign aerospace, sensor and propulsion technologies to advance military and space capabilities, and many groups have adapted social engineering TTPs similar to DreamJob over the past several years. Satellite communications infrastructure, particularly systems supporting imaging, navigation and command-and-control, aligns closely with those priorities. As commercial space assets become increasingly intertwined with defense operations and dual-use applications, the incentive to target upstream space-sector engineering workflows continues to grow.
Conclusion:
Operation DreamJob aligns with a broader trend in which North Korean threat actors exploit global remote-work and hiring practices to gain technical access. Recent analyses from Google’s Threat Analysis Group, the FBI and international CERTs have highlighted related campaigns in which adversaries impersonate recruiters, conduct fake technical interviews and distribute test packages or repositories embedded with malware families such as BeaverTail and InvisibleFerret. These operations are supported by a rapidly evolving toolset, including Python-based variants of previously Go-based implants like GolangGhost, demonstrating sustained adaptation in both programming languages and loader architectures.
A parallel line of activity involves workers embedding themselves directly as remote contractors within Western companies using forged identities and falsified résumés. Once inside, they obtain access to source-code repositories, deployment systems, internal communication platforms and cloud-hosted development environments. Although many of these operations focus on generating revenue for the regime, they routinely create access points that enable broader espionage and supply-chain compromise. DreamJob and related IT-worker campaigns collectively demonstrate how sophisticated state-sponsored actors are actively using a combination of social engineering tactics and multi-tiered malware payloads to infiltrate the lifecycles relevant to the development and production of space systems.
