216.73.217.176

From Dream Job to Malware: DreamLoaders in Recent Campaign

· Published 27/10/2025 10:10 · Modified 27/10/2025 10:55

Export JSON

Essential information

Published
27/10/2025 10:10
Modified
27/10/2025 10:55
Tags
2025-10-27 dreamjob dreamloaders tightvnc
Related entities
1 intrusion sets (apt), 14 techniques (mitre), 3 malware

Description

An analysis of Lazarus group's DreamJobs campaign reveals sophisticated malware deployment strategies. The group uses various loaders, dubbed '', to deploy different payloads. Key components include a trojanized client, DLL loaders executed through sideloading, and TSVIPSrv.dll, a loader identified on compromised servers. The campaign aims to extract credentials from targeted organizations' administrators. The malware authenticates to Microsoft tenants, retrieves SharePoint server URLs, and loads encrypted payloads. The modular nature of the loaders allows for flexible payload deployment. The investigation highlights the group's use of legitimate system binaries, encrypted payloads, and stealthy techniques to evade detection.

External references