At the Security Analyst Summit in Thailand, Kaspersky’s Global Research and Analysis Team (GReAT) unveiled the latest BlueNoroff APT activity through two highly targeted malicious campaigns ‘GhostCall’ and ‘GhostHire’. The ongoing operations have been targeting Web3 and cryptocurrency organisations across India, Turkiye, Australia and other countries in Europe and Asia since at least April 2025.
BlueNoroff, a subdivision of the notorious Lazarus group, continues to expand its signature ‘SnatchCrypto’ campaign, a financially motivated operation which targets crypto industries worldwide. The newly described GhostCall and GhostHire campaigns employ new infiltration techniques and customised malware to compromise blockchain developers and executives. These attacks affect macOS and Windows systems as primary targets and are managed through a unified command-and-control infrastructure.
The GhostCall campaign focuses on macOS devices, beginning with a highly sophisticated and personalised social engineering attack. The attackers reach out via Telegram, impersonating venture capitalists and in some cases using compromised accounts of real entrepreneurs and startup founders to promote investment or partnership opportunities. The victims are invited to fake investment meetings on phishing sites mimicking Zoom or Microsoft Teams during which they are prompted to “update” their client to fix an audio issue, this action downloads a malicious script and deploys a malware infection on the device.
“This campaign relied on deliberate and carefully planned deception. Attackers replayed videos of previous victims during staged meetings to make the interaction appear like a real call and manipulate new targets. The data collected in this process is then used not only against the initial victim but also exploited to enable subsequent and supply-chain attacks, leveraging established trust relationships to compromise a broader range of organisations and users,” comments Sojun Ryu, security researcher at Kaspersky GReAT.
Attackers deployed seven multi-stage execution chains, four which were previously unseen, to distribute a range of new customised payloads, including crypto stealers, browser credential stealers, secrets stealer, and Telegram credential stealers.
In the GhostHire campaign the APT targets blockchain developers by posing as recruiters. Victims are tricked into downloading and running a GitHub repository containing malware, presented as a skill assessment. GhostHire shares its infrastructure and tools with the GhostCall campaign, but instead of using video calls, it focuses on approaching hands-on developers and engineers through fake recruitment. After initial contact, victims are added to a Telegram bot that delivers either a ZIP file or a GitHub link, along with a short deadline to complete the task. Once executed, the malware installs itself on the victim’s machine, customised for the operating system.
The use of generative AI has enabled BlueNoroff to accelerate malware development and refine its attack techniques. The attackers introduced new programming languages and added additional features, complicating detection and analysis tasks. It further enables the actor to manage and expand its operations, increasing both the complexity and scale of attacks.
“Since its previous campaigns, the threat actor’s targeting strategy has evolved beyond simple cryptocurrency and browser credential theft. The use of generative AI has significantly accelerated this process, enabling easier malware development with reduced operational overhead. This AI-driven approach helps to fill the gaps in available information, enabling more focused targeting. By combining compromised data with AI’s analytical capabilities, the scope of these attacks has expanded. We hope our research will contribute to preventing further harm,” comments Omar Amin, senior security researcher at Kaspersky GReAT.
To stay protected from attacks such as GhostCall and GhostHire, organisations are advised to follow these best practices:
- Be cautious with generous offers and investment proposals. Verify the identity of every new contact, especially those reaching out via Telegram, LinkedIn, or other social platforms. Use verified and secure corporate channels for all sensitive communications.
- Consider the possibility that a trusted contact’s account may be compromised. Verify identities through alternative channels before opening any files and links, always ensuring you are on an official domain. Avoid running unverified scripts or commands to resolve issues.
- To protect the company against a wide range of threats, use solutions from the Kaspersky Next product line that provide real-time protection, threat visibility, investigation and the response capabilities of EDR and XDR for organisations of any size and industry. Depending on your current needs and available resources, you can choose the most relevant product tier and easily migrate to another one if your cybersecurity requirements are changing.
- Adopt managed security services by Kaspersky such as Compromise Assessment, Managed Detection and Response (MDR) and / or Incident Response, covering the entire incident management cycle – from threat identification to continuous protection and remediation. They help to protect against evasive cyberattacks, investigate incidents and provide additional expertise even if a company lacks cybersecurity workers.
- Provide your InfoSec professionals with an in-depth visibility into cyberthreats targeting your organisation. The latest Kaspersky Threat Intelligence will provide them with rich and meaningful context across the entire incident management cycle and helps them identify cyber risks in a timely manner.
More information, together with the indicators of compromise, is available in a report on Securelist.com
