DreamJob

Campaign updated 4 months ago (2024-05-04T18:00:47.561Z)

Download STIX

Preview STIX

"DreamJob" is a highly sophisticated and lucrative campaign led by the infamous Lazarus Group, a North Korea-aligned cybercriminal entity. The operation, first identified in a blog post by ClearSky in August 2020, targets defense and aerospace companies with an objective of cyberespionage. The group uses social engineering tactics, specifically deploying fake job offers as lures to compromise its targets. In the past, these attacks have resulted in significant financial gains for the group, including the theft of $620 million from Axie Infinity. Recently, ESET researchers have discovered a new Lazarus Operation DreamJob campaign targeting Linux users, marking the first time this demographic has been targeted in such a campaign. This new campaign, dubbed "Operation DreamJob with a Linux payload," uses an HSBC-themed lure and a Linux component named SimplexTea. The attack typically starts with a LinkedIn message from a Lazarus actor pretending to be a recruiter from Meta (formerly Facebook), named Steve Dawson. The payload is likely distributed through spearphishing or direct messages on LinkedIn. The Lazarus Group's activities are not solely financially motivated. The recent discovery underscores that the group's campaigns also encompass espionage objectives. This was evident in the group's attack in Spain, which security experts attribute to Operation DreamJob with a high level of confidence. Similarities with newly discovered Linux malware used in Operation DreamJob corroborate the theory that the Lazarus Group was behind the 3CX supply-chain attack.

Description last updated: 2024-05-04T18:00:47.516Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Operation Dreamjob	3	Operation DreamJob is a campaign attributed to the Lazarus group, a North Korea-aligned group infamous for its cyberespionage and financial theft activities. The campaign was first coined in a blog post by ClearSky in August 2020, where it described Lazarus' attempts to target defense and aerospace

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Linux

3cx

Operation Dr...

Apt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Lazarus Group	Unspecified	3	The Lazarus Group, also known as APT38, is a notorious threat actor believed to be backed by the North Korean regime. This group has been associated with several high-profile cyber attacks and thefts, including the infamous $600 million Ronin sidechain exploit in 2022. Known for their sophisticated

Source Document References

Information about the DreamJob Campaign was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Operation DreamJob - New Linux Malware Linked With 3CX Supply-Chain Attack
CERT-EU	a year ago	Lazarus hackers breach aerospace firm with new LightlessCan malware
CERT-EU	a year ago	Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
ESET	a year ago	Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack \| WeLiveSecurity
InfoSecurity-magazine	a year ago	Lazarus Group's DeathNote Campaign Reveals Shift in Targets
Securityaffairs	a year ago	Lazarus APT group employed Linux Malware in recent attacks
CERT-EU	a year ago	Lazarus APT group employed Linux Malware in recent attacks and was linked to 3CX supply chain attack \| IT Security News
CERT-EU	a year ago	Lazarus Hackers' Linux Malware Linked to 3CX Supply-Chain Attack
DARKReading	a year ago	3CX Supply Chain Attack Tied to Financial Trading App Breach
CERT-EU	a year ago	Recovering from a supply-chain attack: What are the lessons to learn from the 3CX hack?