Campaign · all campaigns
Operation Dream JobC0022 state
🇰🇵 KP · RGB · Bureau 121 / Lab 110
aka Operation Dream Job, Operation North Star, Operation Interception
Run by Lazarus Group
Last updated: 2026-07-03
About this actor
[Operation Dream Job](https://attack.mitre.org/campaigns/C0022) was a cyber espionage operation likely conducted by [Lazarus Group](https://attack.mitre.org/groups/G0032) that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), Operation North Star, and Operation Interception; by 2022 security researchers described [Operation Dream Job](https://attack.mitre.org/campaigns/C0022) as an umbrella term covering both Operation Interception and Operation North Star.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)(Citation: ESET Lazarus Jun 2020)(Citation: The Hacker News Lazarus Aug 2022)
Source: MITRE ATT&CK
Activity timeline
- 2026 — 2 CVE published
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2026-31635 | 5.5 | 7.5 | 0.0082 | 2026-04-24 | see CVE |
CVE-2026-45585 | 3.5 | 6.8 | 0.0125 | 2026-05-20 | see CVE |
CVE-2018-2025010 | 0.0 | 0.0 | 0.0000 | see CVE |
T1005T1027T1027.002T1027.013T1036T1036.008T1041T1047T1053T1053.005T1059T1059.001T1059.003T1059.005T1070T1070.004T1071T1071.001T1083T1087T1087.002T1105T1106T1110T1204T1204.001T1204.002T1218T1218.010T1218.011T1220T1221T1497T1497.001T1497.003T1505T1505.004T1534T1547T1547.001T1553T1553.002T1560T1560.001T1566T1566.001T1566.002T1566.003T1567T1567.002T1573T1573.001T1583T1583.001T1583.004T1583.006T1584T1584.001T1584.004T1585T1585.001T1585.002T1587T1587.001T1587.002T1588T1588.002T1588.003T1589T1591T1591.004T1593T1593.001T1608T1608.001T1608.002T1614T1614.001T1622T1684T1684.001
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-4 | 42 / 81 | 52% |
SI-3 | 33 / 81 | 41% |
CM-2 | 32 / 81 | 40% |
CM-6 | 32 / 81 | 40% |
CM-7 | 25 / 81 | 31% |
CA-7 | 24 / 81 | 30% |
SC-7 | 22 / 81 | 27% |
AC-3 | 19 / 81 | 23% |
AC-6 | 19 / 81 | 23% |
SI-7 | 19 / 81 | 23% |
AC-2 | 18 / 81 | 22% |
AC-4 | 18 / 81 | 22% |
SI-10 | 15 / 81 | 19% |
SI-2 | 14 / 81 | 17% |
RA-5 | 13 / 81 | 16% |
Co-occurring actors
- IndigoZebra 2 shared CVEs
- Threat Group-3390 2 shared CVEs
Similar actors
Similar TTPs
- Mustang Panda 0.36
- Contagious Interview 0.36
- Kimsuky 0.33
- Sandworm Team 0.31
- Magic Hound 0.31
Overlapping CVEs
- IndigoZebra 0.67
- Threat Group-3390 0.33
Active in same years
- SolarWinds Compromise 1.00
- C0027 1.00
- SharePoint ToolShell Exploitation 1.00
- Ke3chang 1.00
- APT12 1.00
Same nation-state
- 3CX Supply Chain Attack 1.00
- Lazarus Group 1.00
- APT37 1.00
- APT38 1.00
- Kimsuky 1.00
Same category
- Night Dragon 1.00
- FunnyDream 1.00
- C0011 1.00
- Operation Wocao 1.00
- Operation Ghost 1.00