Gotta Fly: Lazarus Targets the UAV Sector

    Friday, October 31, 2025 In: Threat Research Print

    Date: 10/31/2025

    Severity: High

    Summary

    North Korea-linked Lazarus Group has launched a new wave of Operation DreamJob, targeting European defense companies involved in unmanned aerial vehicle (UAV) development. The campaign uses trojanized open-source GitHub projects and the ScoringMathTea malware to steal proprietary data and manufacturing know-how. This activity likely supports North Korea’s drone technology program expansion and shows Lazarus’s ongoing evolution through new DLL proxying libraries and enhanced evasion techniques.

    Indicators of Compromise (IOC) List

    URLs/Domains

    coralsunmarine.com

    kazitradebd.com

    oldlinewoodwork.com

    pierregems.com

    www.mnmathleague.org

    www.scgestor.com.br

    galaterrace.com

    ecudecode.mx

    www.anvil.org.ph

    partnerls.pl

    trainingpharmacist.co.uk

    mediostresbarbas.com.ar

    www.bandarpowder.com

    spaincaramoon.com

    https://coralsunmarine.com/wp-content/themes/flatsome/inc/functions/function-hand.php

    https://kazitradebd.com/wp-content/themes/hello-elementor/includes/customizer/customizer-hand.php

    https://oldlinewoodwork.com/wp-content/themes/zubin/inc/index.php

    https://www.mnmathleague.org/ckeditor/adapters/index.php

    https://pierregems.com/wp-content/themes/woodmart/inc/configs/js-hand.php

    https://www.scgestor.com.br/wp-content/themes/vantage/inc/template-headers.php

    https://galaterrace.com/wp-content/themes/hello-elementor/includes/functions.php

    https://ecudecode.mx/redsocial/wp-content/themes/buddyx/inc/Customizer/usercomp.php

    https://www.anvil.org.ph/list/images/index.php

    https://partnerls.pl/wp-content/themes/public/index.php

    https://trainingpharmacist.co.uk/bootstrap/bootstrap.php

    https://mediostresbarbas.com.ar/php_scrip/banahosting/index.php

    https://www.bandarpowder.com/public/assets/buttons/bootstrap.php

    https://spaincaramoon.com/realestate/wp-content/plugins/gravityforms/forward.php

    IP Address

    23.111.133.162

    104.21.80.1

    70.32.24.131

    185.148.129.24

    66.29.144.75

    108.181.92.71

    104.247.162.67

    193.39.187.165

    172.67.193.139

    77.55.252.111

    45.148.29.122

    75.102.23.3

    152.42.239.211

    95.217.119.214

    Hash

    28978E987BC59E75CA22562924EAB93355CF679E

    5E5BBA521F0034D342CC26DB8BCFECE57DBD4616

    B12EEB595FEEC2CFBF9A60E1CC21A14CE8873539

    26AA2643B07C48CB6943150ADE541580279E8E0E

    0CB73D70FD4132A4FF5493DAA84AAE839F6329D5

    03D9B8F0FCF9173D2964CE7173D21E681DFA8DA4

    71D0DDB7C6CAC4BA2BDE679941FA92A31FBEC1FF

    87B2DF764455164C6982BA9700F27EA34D3565DF

    E670C4275EC24D403E0D4DE7135CBCF1D54FF09C

    B6D8D8F5E0864F5DA788F96BE085ABECF3581CCE

    5B85DD485FD516AA1F4412801897A40A9BE31837

    B68C49841DC48E3672031795D85ED24F9F619782

    AC16B1BAEDE349E4824335E0993533BF5FC116B3

    2AA341B03FAC3054C57640122EA849BC0C2B6AF6

    CB7834BE7DE07F89352080654F7FEB574B42A2B8

    262B4ED6AC6A977135DECA5B0872B7D6D676083A

    086816466D9D9C12FCADA1C872B8C0FF0A5FC611

    2A2B20FDDD65BA28E7C57AC97A158C9F15A61B05

    aeebcd8c8b15645d7e71b68ac05e21e9a4c94f832c64044725d870b87b9573c7

    083d4a4ef6267c9a0ab57f1e5a2ed45ff67a0b4db83bbd43563458a223781120

    fa014db2936da21af5943cc8f3656adb9800173ad86af196f71c6052295fff97

    503b3ece42f540409bcb2f0abc7584e557a0d120b7ba9854b4548496b2546d34

    c39ecc7d9f1e225a37304345731fffe72cdb95b21aeb06aa6022f6d338777012

    98d1a10521a4dd968d75e2860e523311b5851737795c84943c380870794c851a

    f9a9c1a13ed74aebca0652b102755833fc084e221d731b5e7ae76ff136f85864

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "partnerls.pl" or siteurl like "partnerls.pl" or url like "partnerls.pl" or domainname like "spaincaramoon.com" or siteurl like "spaincaramoon.com" or url like "spaincaramoon.com" or domainname like "https://kazitradebd.com/wp-content/themes/hello-elementor/includes/customizer/customizer-hand.php" or siteurl like "https://kazitradebd.com/wp-content/themes/hello-elementor/includes/customizer/customizer-hand.php" or url like "https://kazitradebd.com/wp-content/themes/hello-elementor/includes/customizer/customizer-hand.php" or domainname like "https://galaterrace.com/wp-content/themes/hello-elementor/includes/functions.php" or siteurl like "https://galaterrace.com/wp-content/themes/hello-elementor/includes/functions.php" or url like "https://galaterrace.com/wp-content/themes/hello-elementor/includes/functions.php" or domainname like "https://www.bandarpowder.com/public/assets/buttons/bootstrap.php" or siteurl like "https://www.bandarpowder.com/public/assets/buttons/bootstrap.php" or url like "https://www.bandarpowder.com/public/assets/buttons/bootstrap.php" or domainname like "https://partnerls.pl/wp-content/themes/public/index.php" or siteurl like "https://partnerls.pl/wp-content/themes/public/index.php" or url like "https://partnerls.pl/wp-content/themes/public/index.php" or domainname like "www.anvil.org.ph" or siteurl like "www.anvil.org.ph" or url like "www.anvil.org.ph" or domainname like "https://pierregems.com/wp-content/themes/woodmart/inc/configs/js-hand.php" or siteurl like "https://pierregems.com/wp-content/themes/woodmart/inc/configs/js-hand.php" or url like "https://pierregems.com/wp-content/themes/woodmart/inc/configs/js-hand.php" or domainname like "pierregems.com" or siteurl like "pierregems.com" or url like "pierregems.com" or domainname like "https://coralsunmarine.com/wp-content/themes/flatsome/inc/functions/function-hand.php" or siteurl like "https://coralsunmarine.com/wp-content/themes/flatsome/inc/functions/function-hand.php" or url like "https://coralsunmarine.com/wp-content/themes/flatsome/inc/functions/function-hand.php" or domainname like "https://trainingpharmacist.co.uk/bootstrap/bootstrap.php" or siteurl like "https://trainingpharmacist.co.uk/bootstrap/bootstrap.php" or url like "https://trainingpharmacist.co.uk/bootstrap/bootstrap.php" or domainname like "oldlinewoodwork.com" or siteurl like "oldlinewoodwork.com" or url like "oldlinewoodwork.com" or domainname like "kazitradebd.com" or siteurl like "kazitradebd.com" or url like "kazitradebd.com" or domainname like "www.bandarpowder.com" or siteurl like "www.bandarpowder.com" or url like "www.bandarpowder.com" or domainname like "coralsunmarine.com" or siteurl like "coralsunmarine.com" or url like "coralsunmarine.com" or domainname like "https://www.mnmathleague.org/ckeditor/adapters/index.php" or siteurl like "https://www.mnmathleague.org/ckeditor/adapters/index.php" or url like "https://www.mnmathleague.org/ckeditor/adapters/index.php" or domainname like "galaterrace.com" or siteurl like "galaterrace.com" or url like "galaterrace.com" or domainname like "ecudecode.mx" or siteurl like "ecudecode.mx" or url like "ecudecode.mx" or domainname like "https://mediostresbarbas.com.ar/php_scrip/banahosting/index.php" or siteurl like "https://mediostresbarbas.com.ar/php_scrip/banahosting/index.php" or url like "https://mediostresbarbas.com.ar/php_scrip/banahosting/index.php" or domainname like "https://www.scgestor.com.br/wp-content/themes/vantage/inc/template-headers.php" or siteurl like "https://www.scgestor.com.br/wp-content/themes/vantage/inc/template-headers.php" or url like "https://www.scgestor.com.br/wp-content/themes/vantage/inc/template-headers.php" or domainname like "www.mnmathleague.org" or siteurl like "www.mnmathleague.org" or url like "www.mnmathleague.org" or domainname like "www.scgestor.com.br" or siteurl like "www.scgestor.com.br" or url like "www.scgestor.com.br" or domainname like "trainingpharmacist.co.uk" or siteurl like "trainingpharmacist.co.uk" or url like "trainingpharmacist.co.uk" or domainname like "mediostresbarbas.com.ar" or siteurl like "mediostresbarbas.com.ar" or url like "mediostresbarbas.com.ar" or domainname like "https://oldlinewoodwork.com/wp-content/themes/zubin/inc/index.php" or siteurl like "https://oldlinewoodwork.com/wp-content/themes/zubin/inc/index.php" or url like "https://oldlinewoodwork.com/wp-content/themes/zubin/inc/index.php" or domainname like "https://ecudecode.mx/redsocial/wp-content/themes/buddyx/inc/Customizer/usercomp.php" or siteurl like "https://ecudecode.mx/redsocial/wp-content/themes/buddyx/inc/Customizer/usercomp.php" or url like "https://ecudecode.mx/redsocial/wp-content/themes/buddyx/inc/Customizer/usercomp.php" or domainname like "https://www.anvil.org.ph/list/images/index.php" or siteurl like "https://www.anvil.org.ph/list/images/index.php" or url like "https://www.anvil.org.ph/list/images/index.php" or domainname like "https://spaincaramoon.com/realestate/wp-content/plugins/gravityforms/forward.php" or siteurl like "https://spaincaramoon.com/realestate/wp-content/plugins/gravityforms/forward.php" or url like "https://spaincaramoon.com/realestate/wp-content/plugins/gravityforms/forward.php"

    Detection Query 2 :

    dstipaddress IN ("108.181.92.71","104.247.162.67","75.102.23.3","185.148.129.24","45.148.29.122","66.29.144.75","152.42.239.211","104.21.80.1","23.111.133.162","77.55.252.111","70.32.24.131","193.39.187.165","172.67.193.139","95.217.119.214") or srcipaddress IN ("108.181.92.71","104.247.162.67","75.102.23.3","185.148.129.24","45.148.29.122","66.29.144.75","152.42.239.211","104.21.80.1","23.111.133.162","77.55.252.111","70.32.24.131","193.39.187.165","172.67.193.139","95.217.119.214")

    Detection Query 3 :

    sha1hash IN ("CB7834BE7DE07F89352080654F7FEB574B42A2B8","2AA341B03FAC3054C57640122EA849BC0C2B6AF6","5E5BBA521F0034D342CC26DB8BCFECE57DBD4616","AC16B1BAEDE349E4824335E0993533BF5FC116B3","28978E987BC59E75CA22562924EAB93355CF679E","B12EEB595FEEC2CFBF9A60E1CC21A14CE8873539","26AA2643B07C48CB6943150ADE541580279E8E0E","0CB73D70FD4132A4FF5493DAA84AAE839F6329D5","03D9B8F0FCF9173D2964CE7173D21E681DFA8DA4","71D0DDB7C6CAC4BA2BDE679941FA92A31FBEC1FF","87B2DF764455164C6982BA9700F27EA34D3565DF","E670C4275EC24D403E0D4DE7135CBCF1D54FF09C","B6D8D8F5E0864F5DA788F96BE085ABECF3581CCE","5B85DD485FD516AA1F4412801897A40A9BE31837","B68C49841DC48E3672031795D85ED24F9F619782","262B4ED6AC6A977135DECA5B0872B7D6D676083A","086816466D9D9C12FCADA1C872B8C0FF0A5FC611","2A2B20FDDD65BA28E7C57AC97A158C9F15A61B05")

    Detection Query 4 :

    sha256hash IN ("fa014db2936da21af5943cc8f3656adb9800173ad86af196f71c6052295fff97","f9a9c1a13ed74aebca0652b102755833fc084e221d731b5e7ae76ff136f85864","aeebcd8c8b15645d7e71b68ac05e21e9a4c94f832c64044725d870b87b9573c7","98d1a10521a4dd968d75e2860e523311b5851737795c84943c380870794c851a","083d4a4ef6267c9a0ab57f1e5a2ed45ff67a0b4db83bbd43563458a223781120","503b3ece42f540409bcb2f0abc7584e557a0d120b7ba9854b4548496b2546d34","c39ecc7d9f1e225a37304345731fffe72cdb95b21aeb06aa6022f6d338777012")

    Reference:

    https://www.welivesecurity.com/en/eset-research/gotta-fly-lazarus-targets-uav-sector/


    Tags

    MalwareThreat ActorLazarusGroupOperation DreamJobNorth KoreaUAVDrone TechnologyTrojanScoringMathTeaStealerDLLGitHubEuropeDefense Industrial Base

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.