Operation DreamJob Evolves: New Malware Variants Uncovered

Orange Cyberdefense’s CyberSOC and CSIRT teams have identified a new wave of Operation DreamJob attacks, revealing updated and highly evasive malware variants linked to a threat actor. The campaign, observed in August 2025, targeted a subsidiary of a major manufacturing company and leveraged a fraudulent job offer delivered over WhatsApp. The report highlights significant evolution in the malware families involved, particularly BURNBOOK and MISTPEN, which are long-standing components of the threat actor's toolkit. The attackers gained a foothold through a ZIP archive containing a malicious PDF and a trojanized DLL, leading to continuous hands-on-keyboard activity and lateral movement across several servers.