Operation DreamJob: Sophisticated Cyberattack Targets Manufacturing Sector via WhatsApp
In August 2025, a sophisticated cyberattack, dubbed Operation DreamJob, targeted an Asian subsidiary of a prominent European manufacturing firm. This incident underscores the evolving tactics of cybercriminals who exploit social engineering to infiltrate high-value targets within the manufacturing industry.
The Attack Vector: WhatsApp Web Messaging
The intrusion commenced when a project engineer received a message via WhatsApp Web, presenting what appeared to be a legitimate job offer. The message contained a ZIP archive comprising three components:
1. A seemingly innocuous PDF file.
2. A legitimate open-source document viewer, SumatraPDF.exe.
3. A malicious DLL file named libmupdf.dll.
This combination exploited a technique known as DLL sideloading, where the legitimate executable (SumatraPDF.exe) inadvertently loads the malicious DLL, thereby executing the embedded malware.
Attribution and Analysis
Security analysts from Orange Cyberdefense investigated the incident and attributed the attack, with medium confidence, to the North Korean threat group UNC2970. Their analysis revealed the use of sophisticated malware variants, specifically BURNBOOK and MISTPEN, and the utilization of compromised SharePoint and WordPress infrastructures for command and control operations. The attackers maintained persistent access for at least six hours, engaging in hands-on keyboard activities throughout the compromise.
Infection Chain and Malware Deployment
Upon opening the PDF document, the SumatraPDF executable sideloaded the malicious libmupdf.dll file, identified as a variant of the BURNBOOK loader. This backdoor facilitated initial access, enabling the attackers to commence reconnaissance within the network.
Advanced Persistence and Lateral Movement
Following successful infiltration, the threat actors employed multiple techniques to expand their foothold:
– LDAP Queries: Extensive queries against Active Directory were performed to enumerate users and computers within the domain, gathering intelligence for lateral movement.
– Credential Compromise: Backup and administrative accounts were compromised using pass-the-hash techniques, allowing authentication without plaintext passwords.
– Additional Payloads: The attackers deployed TSVIPsrv.dll, a MISTPEN backdoor variant, which decrypted and executed wordpad.dll.mui directly in memory, establishing connections to compromised SharePoint servers for command and control communications.
– Data Exfiltration: The final stage involved deploying Release_PvPlugin_x64.dll, functioning as an information-stealing module designed to exfiltrate sensitive data from infected systems.
Implications for the Manufacturing Sector
This incident highlights the increasing sophistication of cyberattacks targeting the manufacturing industry. The use of trusted communication platforms like WhatsApp for delivering malicious payloads signifies a shift towards more personalized and deceptive social engineering tactics.
Recommendations for Mitigation
To defend against such advanced threats, organizations should consider the following measures:
1. Employee Training: Conduct regular cybersecurity awareness programs to educate employees about the risks of unsolicited messages and the importance of verifying the authenticity of job offers and other unexpected communications.
2. Endpoint Protection: Implement robust endpoint detection and response (EDR) solutions capable of identifying and mitigating DLL sideloading and other sophisticated attack techniques.
3. Network Segmentation: Segment networks to limit lateral movement opportunities for attackers, thereby containing potential breaches.
4. Regular Audits: Perform regular security audits and penetration testing to identify and remediate vulnerabilities within the organization’s infrastructure.
5. Incident Response Planning: Develop and regularly update incident response plans to ensure swift and effective action in the event of a security breach.
Conclusion
Operation DreamJob serves as a stark reminder of the evolving threat landscape facing the manufacturing sector. By leveraging trusted platforms and sophisticated malware, cybercriminals can execute highly targeted attacks with significant operational and financial repercussions. Proactive measures, continuous education, and robust security protocols are essential to safeguard organizations against such advanced persistent threats.
