Operation Dreamjob

Campaign updated 4 months ago (2024-05-04T16:53:34.845Z)

Download STIX

Preview STIX

Operation DreamJob is a campaign attributed to the Lazarus group, a North Korea-aligned group infamous for its cyberespionage and financial theft activities. The campaign was first coined in a blog post by ClearSky in August 2020, where it described Lazarus' attempts to target defense and aerospace companies for cyberespionage purposes. The campaign involves reaching out to potential targets through LinkedIn, posing as recruiters from industry leaders, and luring them with attractive job offers. This method of operation underscores that the Lazarus group's objectives are not solely financial but also include espionage goals. ESET researchers discovered a new Lazarus Operation DreamJob campaign targeting Linux users. The Linux component of this campaign was named SimplexTea, which is used to compromise unsuspecting victims who fall for the fake job offers. This discovery corroborates the theory that the Lazarus group was behind the 3CX supply-chain attack, as similarities were found with the newly discovered Linux malware used in Operation DreamJob. The Lazarus actor would typically pretend to be a recruiter from Meta (formerly Facebook), named Steve Dawson, to initiate the attack. The Operation DreamJob campaign has been linked with high confidence to several attacks, including one in Spain. The campaign has also been known under other names such as DeathNote or NukeSped. Security vendors like ESET have been actively tracking the campaign, providing valuable insights into the Lazarus group's tactics. With this information now public, companies are better equipped to identify compromises and contain incidents related to this campaign.

Description last updated: 2024-05-04T16:53:34.302Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
DreamJob	3	"DreamJob" is a highly sophisticated and lucrative campaign led by the infamous Lazarus Group, a North Korea-aligned cybercriminal entity. The operation, first identified in a blog post by ClearSky in August 2020, targets defense and aerospace companies with an objective of cyberespionage. The group
Lazarus Group	3	The Lazarus Group, a notorious threat actor associated with North Korea, has been implicated in several high-profile cyber attacks and exploitation activities. The group's objective often involves establishing a kernel read/write primitive, which allows them to gain high-level access to systems and

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

DreamJob

Linux

Malware

3cx

Apt

Eset

Espionage

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Operation Dreamjob Campaign was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Lazarus hackers breach aerospace firm with new LightlessCan malware
CERT-EU	a year ago	Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
DARKReading	a year ago	3CX Supply Chain Attack Tied to Financial Trading App Breach
Securityaffairs	a year ago	Lazarus APT group employed Linux Malware in recent attacks
ESET	a year ago	Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack \| WeLiveSecurity
InfoSecurity-magazine	a year ago	Lazarus Group's DeathNote Campaign Reveals Shift in Targets
CERT-EU	a year ago	Lazarus APT group employed Linux Malware in recent attacks and was linked to 3CX supply chain attack \| IT Security News
CERT-EU	a year ago	Lazarus Hackers' Linux Malware Linked to 3CX Supply-Chain Attack
CERT-EU	a year ago	Operation DreamJob - New Linux Malware Linked With 3CX Supply-Chain Attack
CERT-EU	a year ago	Recovering from a supply-chain attack: What are the lessons to learn from the 3CX hack?
Securityaffairs	a year ago	North Korean Lazarus targeted a Spanish aerospace company
CERT-EU	a year ago	Lazarus APT Exploiting LinkedIn to Target Spanish Aerospace Firm
CERT-EU	a year ago	Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company