Actors
Naming registry
Threats
Is my stack targeted?
Campaigns
Track campaigns
Compare
Attribution by source
Search
Full text search
high_confidence

Operation Dream Job

[Operation Dream Job](https://attack.mitre.org/campaigns/C0022) was a cyber espionage operation likely conducted by [Lazarus Group](https://attack.mitre.org/groups/G0032) that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), Operation North Star, and Operation Interception; by 2022 security researchers described [Operation Dream Job](https://attack.mitre.org/campaigns/C0022) as an umbrella term covering both Operation Interception and Operation North Star.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)(Citation: ESET Lazarus Jun 2020)(Citation: The Hacker News Lazarus Aug 2022)

Start date
1 September 2019
End date
1 August 2020
Techniques
55

Attributed actors

Lazarus Group· primary

Techniques (55)

collection2
T1005Data from Local System
T1560.001Archive via Utility
command-and-control3
T1573.001Symmetric Cryptography
T1105Ingress Tool Transfer
T1071.001Web Protocols
credential-access1
T1110Brute Force
defense-impairment1
T1553.002Code Signing
discovery6
T1497.001System Checks
T1614.001System Language Discovery
T1622Debugger Evasion
T1083File and Directory Discovery
T1497.003Time Based Checks
T1087.002Domain Account
execution8
T1059.003Windows Command Shell
T1204.002Malicious File
T1047Windows Management Instrumentation
T1106Native API
T1059.001PowerShell
T1204.001Malicious Link
T1059.005Visual Basic
T1053.005Scheduled Task
exfiltration2
T1567.002Exfiltration to Cloud Storage
T1041Exfiltration Over C2 Channel
initial-access3
T1566.002Spearphishing Link
T1566.001Spearphishing Attachment
T1566.003Spearphishing via Service
lateral-movement1
T1534Internal Spearphishing
persistence3
T1547.001Registry Run Keys / Startup Folder
T1053.005Scheduled Task
T1505.004IIS Components
privilege-escalation2
T1547.001Registry Run Keys / Startup Folder
T1053.005Scheduled Task
reconnaissance4
T1591.004Identify Roles
T1589Gather Victim Identity Information
T1593.001Social Media
T1591Gather Victim Org Information
resource-development13
T1587.001Malware
T1588.002Tool
T1585.002Email Accounts
T1584.004Server
T1608.001Upload Malware
T1583.006Web Services
T1583.001Domains
T1584.001Domains
T1608.002Upload Tool
T1585.001Social Media Accounts
T1583.004Server
T1587.002Code Signing Certificates
T1588.003Code Signing Certificates
stealth12
T1220XSL Script Processing
T1684.001Impersonation
T1497.001System Checks
T1036.008Masquerade File Type
T1070.004File Deletion
T1027.002Software Packing
T1622Debugger Evasion
T1497.003Time Based Checks
T1218.010Regsvr32
T1221Template Injection
T1218.011Rundll32
T1027.013Encrypted/Encoded File

Indicators of compromise

No IOCs linked to this campaign yet.

Operation Dream Job — Campaign | Fancy Intel