Skip to main content
Mallory
Back to threat actors
Exploits CVEs in the wild

Operation Dream Job

Also known asoperation_dream_job

Operation Dream Job is a North Korean-linked intrusion campaign associated in the provided content with Lazarus Group. The campaign used fictitious job offers and recruiter-themed social engineering, including spearphishing messages sent via LinkedIn, to trick targets into downloading malicious tools. The content states that Lazarus Group used compromised servers to host malware during the operation, used regsvr32 to execute malware, and placed LNK files in victims’ Startup folders for persistence. Post-compromise activity described in the content includes querying compromised victims’ Active Directory servers to obtain lists of employees, including administrator accounts, and conducting word searches within documents on compromised hosts for security and financial matters. The malware used in the campaign was described as being designed not to run on systems configured for Korean, Japanese, or Chinese in Windows language preferences. The content also states that Lazarus Group used a custom build of the open-source dbxcli command-line tool to exfiltrate stolen data to Dropbox. The campaign is noted as having tactical overlap with later North Korean activity such as Contagious Interview, but the content explicitly treats that as a separate activity cluster.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

3 of 15 tactics5 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
1 technique
T1588
Obtain Capabilities
T1588.002
Tool
TA0002
Execution
1 technique
T1203
Exploitation for Client Execution
TA0010
Exfiltration
1 technique
T1567
Exfiltration Over Web Service
T1567.002
Exfiltration to Cloud Storage
WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2022-0609Use-after-free RCE in Google Chrome AnimationIn the wildEvidence1

On February 10, Threat Analysis Group discovered two distinct North Korean government-backed attacker groups exploiting a remote code execution vulnerability in Chrome, CVE-2022-0609. These groups' activity has been publicly tracked as Operation Dream Job and Operation AppleJeus.

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app
the hacker newsNews
Nov 22, 2023
North Korean Hackers Pose as Job Recruiters and Seekers in Malware Campaigns

A North Korean social engineering campaign that impersonates recruiters and companies with fake job offers to trick targets into downloading malicious tools during supposed interviews.

Read more
mitre attack websiteNews
Aug 1, 2020
System Location Discovery: System Language Discovery, Sub-technique T1614.001 - Enterprise | MITRE ATT&CK®

Named activity cluster in which malware was configured to avoid execution on systems using Korean, Japanese, or Chinese language settings.

Read more
mitre attack websiteNews
Jun 1, 2020
System Binary Proxy Execution: Regsvr32, Sub-technique T1218.010 - Enterprise | MITRE ATT&CK®

Activity cluster in which Lazarus Group used regsvr32 to execute malware.

Read more
mitre attack websiteNews
May 1, 2020
Exfiltration Over Web Service: Exfiltration to Cloud Storage, Sub-technique T1567.002 - Enterprise | MITRE ATT&CK®

Campaign in which Lazarus Group used a custom dbxcli build to exfiltrate stolen data to Dropbox.

Read more
+8 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping3

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.