North Korea’s Operation DreamJob Hits Europe: WhatsApp Job Lure Delivers Evolved MISTPEN/BURNBOOK Backdoors

Orange Cyberdefense’s CyberSOC and CSIRT teams have uncovered a new wave of Operation DreamJob attacks, revealing updated and highly evasive malware variants linked to North Korean threat actor UNC2970. The campaign, observed in August 2025, targeted an Asian subsidiary of a major European manufacturing company and leveraged one of DreamJob’s signature intrusion methods—a fraudulent job offer delivered over WhatsApp.

DreamJob, also known as Operation North Star or DeathNote, is one of the longest-running cyber-espionage programs attributed to DPRK. The report notes that DreamJob “encompasses intelligence gathering attacks targeting employees… in the defense, manufacturing, chemical, aerospace or technology sectors with job posting lures.”

But while the social engineering lures remain familiar, Orange Cyberdefense observed significant evolution in the malware families involved—particularly BURNBOOK and MISTPEN, two long-standing components of North Korea’s toolkit.

According to Orange Cyberdefense, “the intrusion was initiated by a WhatsApp message claiming to be a job offer for a Project Manager position.” The lure led the victim to download a ZIP archive containing a malicious PDF and a trojanized SumatraPDF DLL, kickstarting an attack chain aligned with years of DreamJob-related activity.

The ZIP archive included:

• A malicious PDF
• A legitimate SumatraPDF.exe
• A malicious libmupdf.dll

Opening the PDF triggered DLL sideloading, a tactic consistent with DreamJob since 2020. Analysts determined that “libmupdf.dll is a recent BURNBOOK variant.”

Orange Cyberdefense compared the recovered DLL to historical BURNBOOK samples and found that “most of the two DLLs’ functions are similar,” both acting as loaders that “read an input file… decrypt its contents… [and] write the result to a temporary file.”

This variant also contains references to:

• wkspbroker.exe
• radcui.dll
• container.dat

All of these match artifacts documented in ESET’s earlier DreamJob investigations, suggesting this intrusion chain is a modernized branch of the same lineage.

Once the attackers gained their foothold, Orange Cyberdefense observed at least six hours of continuous hands-on-keyboard activity via compromised infrastructure.

The report states: “The threat actors notably made multiple LDAP queries to the Active Directory… [and] subsequently identified the compromise of both a backup account and an administrative account.”

With these credentials, UNC2970 performed pass-the-hash exploitation, enabling lateral movement across several servers without needing plaintext passwords—another recurring DreamJob technique.

The attackers next deployed TSVIPsrv.dll, identified with high confidence as a modern MISTPEN variant.

According to the report, “TSVIPsrv.dll decrypted and executed in memory wordpad.dll.mui, which then initiated network connections to compromised SharePoint servers for C2.”

From these servers, the malware retrieved a final payload, Release_PvPlugin_x64.dll, a compact information-stealing module executed entirely in memory, minimizing forensic artifacts.

Orange Cyberdefense compared their 2025 sample to Kaspersky’s 2024 MISTPEN specimen and found clear evolutionary changes. Both versions:

• Use AES-encrypted traffic
• Implement nearly identical opcode-based command loops
• Support payload download and execution (opcode 100)
• Support forced termination (opcode 101)

However, the newest MISTPEN variant introduces a third opcode (102) for remote sleep control: “This opcode implements remote timing control… sleeping repeatedly until the computed deadline is reached.”

The shift in opcode logic reflects UNC2970’s ongoing refinement of stealth and operational flexibility.

The report emphasizes that DreamJob remains difficult for defenders to investigate due to its ever-expanding malware ecosystem: “Many strains share the same modus operandi… with newly observed malware not always being properly described or compared to previously documented families.”

This proliferation of aliases and loader families has led researchers to adopt umbrella terms like DreamLoaders and NukeSped to describe clusters of related malware used in DreamJob operations.

The report concludes that despite DreamJob’s age, “Attacks can be hard to detect due to their combination and chaining of a large number of constantly modified droppers, loaders, and simple downloaders designed to decrypt and execute in memory even more versatile malware.”

Related Posts:

• UNC2970’s Backdoor Deployed via Trojanized PDF Reader Targets Critical Infrastructure
• Invoice to Infection: Sorillus RAT Campaign Strikes European Organizations
• Google’s TAG Disrupts Russian Cyber Campaigns Targeting Ukraine
• Palo Alto Networks Raises Alarm on Firewall Vulnerability Following Active Exploitation