A Pain in the Mist: Navigating Operation DreamJob’s arsenal
Contents
A Pain in the Mist: Navigating Operation DreamJob’s arsenal
20 November 2025
CERT
Research
Threat
Data in this article
Executive summary
Infection chain
Conclusion
Recommendations
IOCs
Share
Authors:
Marine Pichon, Alexis Bonnefoi
Acknowledgments:
Special thanks to P. Kálnai (ESET) and E. Kee (BAE Systems) for their insights on the North Korean malware arsenal.
Special thanks to Alexandre Matousek, Friedl Holzner, Gordon Brebner, James O'Neill, and Nadine Scheid (Orange Cyberdefense).
Download the full report
Executive summary
In August 2025, Orange Cyberdefense’s CyberSOC and CSIRT investigated an intrusion targeting an Asian subsidiary of a large European manufacturing organization.
The infection chain was initiated by a targeted WhatsApp Web message containing a job-related lure sent to a project engineer.
The intrusion leveraged variants of the BURNBOOK loader and the MISTPEN backdoor as well as compromised SharePoint and WordPress resources for C2 infrastructure.
The full PDF report aims to describe the infection chain we observed, and to provide a comparative analysis of the BURNBOOK and MISTPEN …
20 November 2025
CERT
Research
Threat
Data in this article
Executive summary
Infection chain
Conclusion
Recommendations
IOCs
Share
Authors:
Marine Pichon, Alexis Bonnefoi
Acknowledgments:
Special thanks to P. Kálnai (ESET) and E. Kee (BAE Systems) for their insights on the North Korean malware arsenal.
Special thanks to Alexandre Matousek, Friedl Holzner, Gordon Brebner, James O'Neill, and Nadine Scheid (Orange Cyberdefense).
Download the full report
Executive summary
In August 2025, Orange Cyberdefense’s CyberSOC and CSIRT investigated an intrusion targeting an Asian subsidiary of a large European manufacturing organization.
The infection chain was initiated by a targeted WhatsApp Web message containing a job-related lure sent to a project engineer.
The intrusion leveraged variants of the BURNBOOK loader and the MISTPEN backdoor as well as compromised SharePoint and WordPress resources for C2 infrastructure.
The full PDF report aims to describe the infection chain we observed, and to provide a comparative analysis of the BURNBOOK and MISTPEN …