Looking for Malicious Clues from Thousands of Job-Related Domains | WhoisXML API

Threat Reports

Operation Dream Job: Same Tactics, New Vulnerability and Domains?

Operation Dream Job is a threat group that takes advantage of people’s hope to improve their careers. Instead of finding their dream jobs, however, victims could find themselves vulnerable to remote code execution (RCE).1

To help the cybersecurity community detect traces of Operation Dream Job, WhoisXML API researchers gathered and analyzed employment-related domains for possible connections to the threat. Our findings include:

  • 16,000+ job-related domains added since 1 January 2022
  • 700+ domains that could potentially be impersonating top job-hunting sites, including Glassdoor, Indeed, LinkedIn, and Zip Recruiter
  • 500+ domains that share the domain IoCs’ critical WHOIS information
  • 55+ domains that have been tagged “malicious” by malware engines

Download the threat research materials to access a sample of the data related to possible Operation Dream Job domains that could be used to lure individuals looking for jobs.


  • [1] https://blog.google/threat-analysis-group/countering-threats-north-korea/
Try our WhoisXML API for free
Get started