From Dream Job to Malware: DreamLoaders in Lazarus’ Recent Campaign
Contents
During August 2025, Lab52 gained access to artifacts linked to Lazarus through DreamJob campaigns. Some of these artifacts and their operational details were recently highlighted by ESET (e.g., radcui.dll, HideFirstLetter.dll).
From our perspective, one of the most notable aspects of this campaign is the use of various types of loaders — components capable of deploying different payloads depending on the actors’ needs.
These loaders are used in the DreamJob campaign, but we believe they could also appear in other operations. For us, they truly are dream loaders.
The operational flow observed by our team is shown in the following diagram.
In this article, we describe the relationship between these artifacts and also detail the characteristics of TSVIPSrv.dll, a loader used by the group in the analyzed case.
During the investigation, two deployment methods were observed, one of them involving the use of legitimate system executables to load the various loaders through DLL sideloading.
Given the diversity …
From our perspective, one of the most notable aspects of this campaign is the use of various types of loaders — components capable of deploying different payloads depending on the actors’ needs.
These loaders are used in the DreamJob campaign, but we believe they could also appear in other operations. For us, they truly are dream loaders.
The operational flow observed by our team is shown in the following diagram.
In this article, we describe the relationship between these artifacts and also detail the characteristics of TSVIPSrv.dll, a loader used by the group in the analyzed case.
During the investigation, two deployment methods were observed, one of them involving the use of legitimate system executables to load the various loaders through DLL sideloading.
Given the diversity …
IoC
https://login.microsoftonline.com/common/oauth2/v2.0/token
aefc12b500b58fbc09ebbf34fe64b34cb32a27513478f4769447280ad23af4d2
26bd4aab63563e77ca426c23b11d18d894eef9a727e111be79336e099b22bdd1
fa014db2936da21af5943cc8f3656adb9800173ad86af196f71c6052295fff97
855baa2ff0c3e958a660ae84a048ce006e07cf51ce5192c0de364ee62873980c
0fdd97a597380498f6b2d491f8f50da8f903def4ea6e624b89757456c287f92d
473726dd9bc034564c4c7b951df12d102ff24f7b17b8356f55d36ed6d908882d
b3d7a3c3dedaa873e81b1676b6c0027ae1fd164587299bf65c02bd067ae1a972
aefc12b500b58fbc09ebbf34fe64b34cb32a27513478f4769447280ad23af4d2
26bd4aab63563e77ca426c23b11d18d894eef9a727e111be79336e099b22bdd1
fa014db2936da21af5943cc8f3656adb9800173ad86af196f71c6052295fff97
855baa2ff0c3e958a660ae84a048ce006e07cf51ce5192c0de364ee62873980c
0fdd97a597380498f6b2d491f8f50da8f903def4ea6e624b89757456c287f92d
473726dd9bc034564c4c7b951df12d102ff24f7b17b8356f55d36ed6d908882d
b3d7a3c3dedaa873e81b1676b6c0027ae1fd164587299bf65c02bd067ae1a972