The Reveal Platform
Intel Name: Pain in the mist navigating dreamjob arsenal
Date of Scan: November 25, 2025
Impact: Medium
Summary: In August 2025, an intrusion targeting an Asian subsidiary of a major European manufacturer was investigated and assessed as likely carried out by the North Korea–linked group UNC2970, aligning with Operation DreamJob. The attack began with a targeted WhatsApp message to a project engineer and used variants of the BURNBOOK loader and MISTPEN backdoor. The intrusion exhibited hallmark UNC2970 tactics, including job-themed lures, infrastructure hosted on compromised SharePoint and WordPress sites, deployment of a trojanized PDF reader, and targeting of large multinational organizations in technology and manufacturing sectors.
