Operation DreamJob: New Malware Variants Uncovered in 2025 Attack

Orange Cyberdefense’s CyberSOC and CSIRT teams have identified a new wave of Operation DreamJob attacks, featuring updated and highly evasive malware variants linked to a known threat actor. The campaign, observed in August 2025, targeted a subsidiary of a major manufacturing company using a fraudulent job offer delivered over WhatsApp. The attack involved sophisticated malware families like BURNBOOK and MISTPEN, showcasing significant evolution in their tactics. The intrusion began with a WhatsApp message leading to a malicious PDF and a trojanized DLL, initiating an attack chain consistent with previous DreamJob activity. The threat actors performed extensive hands-on-keyboard activities, compromising administrative accounts and deploying advanced malware for data exfiltration.

Latest mentioned: 11-25

Earliest mentioned: 11-21

Sources

gbhackers.com securityonline.info

Also Read

Contagious Interview Campaign Floods npm with Malicious Packages

Threat actors behind the Contagious Interview campaign have inundated the npm registry with 197 malicious packages designed to deliver a variant of OtterCookie. These packages, downloaded over 31,000 times, are crafted to evade detection, profile machines, and establish command-and-control channels. The malware aims to steal sensitive data, including browser credentials and cryptocurrency wallet information. The campaign is notable for its sustained tempo and adaptation to modern JavaScript and crypto-centric development workflows.

11-29Read more →