Kaspersky’s Global Research and Analysis Team (GReAT) has revealed the latest BlueNoroff APT activity through two highly targeted malicious campaigns – “‘GhostCall” and “GhostHire” – targeting Web3 and cryptocurrency organisations across India, Turkiye, Australia, and other countries in Europe and Asia since at least April this year.
BlueNoroff, a sub-division of the notorious Lazarus group, continues to expand its signature “SnatchCrypto” campaign – a financially motivated operation which targets crypto industries worldwide. The newly described GhostCall and GhostHire campaigns employ new infiltration techniques and customised malware to compromise blockchain developers and executives. These attacks affect macOS and Windows systems as primary targets and are managed through a unified command-and-control infrastructure.
The GhostCall campaign focuses on macOS devices, beginning with a highly sophisticated and personalised social engineering attack. The attackers reach out via Telegram impersonating venture capitalists and in some cases using compromised accounts of real entrepreneurs and startup founders to promote investment or partnership opportunities. The victims are invited to fake investment meetings on phishing sites mimicking Zoom or Microsoft Teams during which they are prompted to “update” their client to fix an audio issue. This action downloads a malicious script and deploys a malware infection on the device.
“This campaign relies on deliberate and carefully planned deception,” says Sojun Ryu, security researcher at Kaspersky GReAT. “Attackers replayed videos of previous victims during staged meetings to make the interaction appear like a real call and manipulate new targets. The data collected in this process is then used not only against the initial victim, but also exploited to enable subsequent supply-chain attacks, leveraging established trust relationships to compromise a broader range of organisations and users.”
Attackers deployed seven multi-stage execution chains – four of which were previously unseen – to distribute a range of new customised payloads including crypto stealers, browser credential stealers, secrets stealer, and Telegram credential stealers.
In the GhostHire campaign, the APT targets blockchain developers by posing as recruiters. Victims are tricked into downloading and running a GitHub repository containing malware presented as a skill assessment. GhostHire shares its infrastructure and tools with the GhostCall campaign, but instead of using video calls it focuses on approaching hands-on developers and engineers through fake recruitment.
After initial contact, victims are added to a Telegram bot that delivers either a ZIP file or a GitHub link, along with a short deadline to complete the task. Once executed, the malware installs itself on the victim’s machine, customised for the operating system.
The use of generative AI has enabled BlueNoroff to accelerate malware development and refine its attack techniques.
The attackers introduced new programming languages and added additional features, complicating detection and analysis tasks. It further enables the actor to manage and expand its operations, increasing both the complexity and scale of attacks.
“Since its previous campaigns, the threat actor’s targeting strategy has evolved beyond simple cryptocurrency and browser credential theft,” says Omar Amin, senior security researcher at Kaspersky GReAT. “The use of generative AI has significantly accelerated this process enabling easier malware development with reduced operational overhead. This AI-driven approach helps to fill the gaps in available information enabling more focused targeting.
“By combining compromised data with AI’s analytical capabilities, the scope of these attacks has expanded,” adds Amin. “We hope our research will contribute to preventing further harm.”