Date: 11/25/2025
Severity: Medium
Summary
In August 2025, an intrusion targeting an Asian subsidiary of a major European manufacturer was investigated and assessed as likely carried out by the North Korea–linked group UNC2970, aligning with Operation DreamJob. The attack began with a targeted WhatsApp message to a project engineer and used variants of the BURNBOOK loader and MISTPEN backdoor. The intrusion exhibited hallmark UNC2970 tactics, including job-themed lures, infrastructure hosted on compromised SharePoint and WordPress sites, deployment of a trojanized PDF reader, and targeting of large multinational organizations in technology and manufacturing sectors.
Indicators of Compromise (IOC) List
URLs/Domain | cseabrahamlincoln-my.sharepoint.com aerm-my.sharepoint.com alex2moe-my.sharepoint.com/ diakoffice-my.sharepoint.com isiswauitmedu-my.sharepoint.com https://tours-albatros.es/wp-content/plugins/soliloquy-lite/includes/global/skin.php https://kutahyasmmmo.org/wp-content/mu-plugins/natro/external_plugins/easy-wp-smtp/easy-wp-smtp-menu.php https://coralsunmarine.com/wp-content/themes/flatsome/inc/functions/function-hand.php |
Hash | 7b4cb382b364389c3bd1f4736411de17ceb213a7792733ae5dd90c8b01b4191f
ec5d14ca011ba8c12f4d51b0d463cf51051feaf1655c7f709dce3ffa625dfcf6
083d4a4ef6267c9a0ab57f1e5a2ed45ff67a0b4db83bbd43563458a223781120
e3e0a87e18de05c4abb95fc21f22d6c9c367eb207dbbf2dd092673656caf7661
f5873ecd60390e7b86db5ddaf158ed201b386be26ad80af8a7da3576446520b8
aefc12b500b58fbc09ebbf34fe64b34cb32a27513478f4769447280ad23af4d2
0fdd97a597380498f6b2d491f8f50da8f903def4ea6e624b89757456c287f92d
4eeec453e42c2898e2e9870bbee273834aeb8cdde8c826c036f9a7d0b568a25d
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "aerm-my.sharepoint.com" or siteurl like "aerm-my.sharepoint.com" or url like "aerm-my.sharepoint.com" or domainname like "diakoffice-my.sharepoint.com" or siteurl like "diakoffice-my.sharepoint.com" or url like "diakoffice-my.sharepoint.com" or domainname like "https://coralsunmarine.com/wp-content/themes/flatsome/inc/functions/function-hand.php" or siteurl like "https://coralsunmarine.com/wp-content/themes/flatsome/inc/functions/function-hand.php" or url like "https://coralsunmarine.com/wp-content/themes/flatsome/inc/functions/function-hand.php" or domainname like "cseabrahamlincoln-my.sharepoint.com" or siteurl like "cseabrahamlincoln-my.sharepoint.com" or url like "cseabrahamlincoln-my.sharepoint.com" or domainname like "isiswauitmedu-my.sharepoint.com" or siteurl like "isiswauitmedu-my.sharepoint.com" or url like "isiswauitmedu-my.sharepoint.com" or domainname like "https://tours-albatros.es/wp-content/plugins/soliloquy-lite/includes/global/skin.php" or siteurl like "https://tours-albatros.es/wp-content/plugins/soliloquy-lite/includes/global/skin.php" or url like "https://tours-albatros.es/wp-content/plugins/soliloquy-lite/includes/global/skin.php" or domainname like "https://kutahyasmmmo.org/wp-content/mu-plugins/natro/external_plugins/easy-wp-smtp/easy-wp-smtp-menu.php" or siteurl like "https://kutahyasmmmo.org/wp-content/mu-plugins/natro/external_plugins/easy-wp-smtp/easy-wp-smtp-menu.php" |
Detection Query 2 : | sha256hash IN ("ec5d14ca011ba8c12f4d51b0d463cf51051feaf1655c7f709dce3ffa625dfcf6","083d4a4ef6267c9a0ab57f1e5a2ed45ff67a0b4db83bbd43563458a223781120","0fdd97a597380498f6b2d491f8f50da8f903def4ea6e624b89757456c287f92d","7b4cb382b364389c3bd1f4736411de17ceb213a7792733ae5dd90c8b01b4191f","aefc12b500b58fbc09ebbf34fe64b34cb32a27513478f4769447280ad23af4d2","f5873ecd60390e7b86db5ddaf158ed201b386be26ad80af8a7da3576446520b8","e3e0a87e18de05c4abb95fc21f22d6c9c367eb207dbbf2dd092673656caf7661","4eeec453e42c2898e2e9870bbee273834aeb8cdde8c826c036f9a7d0b568a25d")
|
Reference:
https://www.orangecyberdefense.com/fileadmin/global/Blog/Navigating_Operation_DreamJob_s_arsenal_1.pdf