From Dream Job to Malware: DreamLoaders in Recent Campaign

Oct. 27, 2025, 10:55 a.m.

Description

An analysis of Lazarus group's DreamJobs campaign reveals sophisticated malware deployment strategies. The group uses various loaders, dubbed 'DreamLoaders', to deploy different payloads. Key components include a trojanized TightVNC client, DLL loaders executed through sideloading, and TSVIPSrv.dll, a loader identified on compromised servers. The campaign aims to extract credentials from targeted organizations' administrators. The malware authenticates to Microsoft tenants, retrieves SharePoint server URLs, and loads encrypted payloads. The modular nature of the loaders allows for flexible payload deployment. The investigation highlights the group's use of legitimate system binaries, encrypted payloads, and stealthy techniques to evade detection.

External References

https://lab52.io/blog/dreamloaders
https://otx.alienvault.com/pulse/68ff452314c4e97dee6af001
Tags
tightvnc
2025-10-27
dreamloaders
dreamjob

Date

  • Created: Oct. 27, 2025, 10:10 a.m.
  • Published: Oct. 27, 2025, 10:10 a.m.
  • Modified: Oct. 27, 2025, 10:55 a.m.

Attack Patterns

  • HideFirstLetter.dll
  • TSVIPSrv.dll
  • DreamLoaders
  • Lazarus