Operation Dreamjob

Campaign updated 2 years ago (2024-05-04T16:53:34.845Z)

Download STIX

Preview STIX

Operation DreamJob is a campaign attributed to the Lazarus group, a North Korea-aligned group infamous for its cyberespionage and financial theft activities. The campaign was first coined in a blog post by ClearSky in August 2020, where it described Lazarus' attempts to target defense and aerospace companies for cyberespionage purposes. The campaign involves reaching out to potential targets through LinkedIn, posing as recruiters from industry leaders, and luring them with attractive job offers. This method of operation underscores that the Lazarus group's objectives are not solely financial but also include espionage goals. ESET researchers discovered a new Lazarus Operation DreamJob campaign targeting Linux users. The Linux component of this campaign was named SimplexTea, which is used to compromise unsuspecting victims who fall for the fake job offers. This discovery corroborates the theory that the Lazarus group was behind the 3CX supply-chain attack, as similarities were found with the newly discovered Linux malware used in Operation DreamJob. The Lazarus actor would typically pretend to be a recruiter from Meta (formerly Facebook), named Steve Dawson, to initiate the attack. The Operation DreamJob campaign has been linked with high confidence to several attacks, including one in Spain. The campaign has also been known under other names such as DeathNote or NukeSped. Security vendors like ESET have been actively tracking the campaign, providing valuable insights into the Lazarus group's tactics. With this information now public, companies are better equipped to identify compromises and contain incidents related to this campaign.

Description last updated: 2024-05-04T16:53:34.302Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
DreamJob is a possible alias for Operation Dreamjob. "DreamJob" is a highly sophisticated and lucrative campaign led by the infamous Lazarus Group, a North Korea-aligned cybercriminal entity. The operation, first identified in a blog post by ClearSky in August 2020, targets defense and aerospace companies with an objective of cyberespionage. The group	4
Lazarus Group is a possible alias for Operation Dreamjob. The Lazarus Group, a notorious threat actor attributed to North Korea, is renowned for its malicious activities aimed at furthering the country's objectives. This group has been implicated in several high-profile cyber-attacks, including an attack in Spain known as Operation DreamJob. The exploitati	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

DreamJob

Apt

Eset

Linux

Malware

3cx

Source

Payload

Espionage

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Lightlesscan Malware is associated with Operation Dreamjob. LightlessCan is a new and advanced malware, discovered by ESET, that has been added to North Korea's Lazarus group's arsenal. The malware is a successor to the group's flagship HTTP(S) Lazarus Remote Access Trojan (RAT) named BlindingCan. LightlessCan represents a significant advancement in maliciou	Unspecified	2

Source Document References

Information about the Operation Dreamjob Campaign was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
ESET	18 days ago	Gotta fly: Lazarus targets the UAV sector
ESET	18 days ago	DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception
Securityaffairs	a month ago	Security Affairs newsletter Round 547 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	a month ago	Lazarus targets European defense firms in UAV-themed Operation DreamJob
InfoSecurity-magazine	a month ago	Lazarus Group’s Operation DreamJob Targets European Defense Firms
ESET	9 months ago	DeceptiveDevelopment targets freelance developers
CERT-EU	2 years ago	Lazarus hackers breach aerospace firm with new LightlessCan malware
CERT-EU	2 years ago	Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
DARKReading	3 years ago	3CX Supply Chain Attack Tied to Financial Trading App Breach
Securityaffairs	3 years ago	Lazarus APT group employed Linux Malware in recent attacks
ESET	3 years ago	Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack \| WeLiveSecurity
InfoSecurity-magazine	3 years ago	Lazarus Group's DeathNote Campaign Reveals Shift in Targets
CERT-EU	3 years ago	Lazarus APT group employed Linux Malware in recent attacks and was linked to 3CX supply chain attack \| IT Security News
CERT-EU	3 years ago	Lazarus Hackers' Linux Malware Linked to 3CX Supply-Chain Attack
CERT-EU	3 years ago	Operation DreamJob - New Linux Malware Linked With 3CX Supply-Chain Attack
CERT-EU	2 years ago	Recovering from a supply-chain attack: What are the lessons to learn from the 3CX hack?
Securityaffairs	2 years ago	North Korean Lazarus targeted a Spanish aerospace company
CERT-EU	2 years ago	Lazarus APT Exploiting LinkedIn to Target Spanish Aerospace Firm
CERT-EU	2 years ago	Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company