Overview
- ESET traced late-March intrusions to Lazarus at a metal engineering firm, an aircraft components maker, and a defense contractor in Central and Southeastern Europe.
- Two targets work on UAV components or software, and ESET assesses the operation likely sought proprietary drone information and manufacturing know-how.
- Victims were enticed with recruitment lures that led them to run tampered apps and plugins such as MuPDF, Notepad++, TightVNC, WinMerge components, libpcre, and DirectX wrappers.
- The toolchain used DLL sideloading and in-memory loading, deploying the ScoringMathTea RAT with about 40 commands and, in some cases, BinMergeLoader/MISTPEN-style downloaders that leverage Microsoft Graph.
- ESET published indicators of compromise and noted droppers bearing the internal name DroneEXEHijackingLoader.dll, warning that other UAV-sector organizations may be targeted.