Researchers Expose Ghostcall And Ghosthire: Bluenoroff's New M...

Threat actors tied to North Korea have been observed targeting the Web3 and blockchain sectors as part of twin campaigns tracked as GhostCall and GhostHire.

According to Kaspersky, the campaigns are part of a broader operation called SnatchCrypto that has been underway since at least 2017. The activity is attributed to a Lazarus Group sub-cluster called BlueNoroff, which is also known as APT38, CageyChameleon, CryptoCore, Genie Spider, Nickel Gladstone, Sapphire Sleet (formerly Copernicium), and Stardust Chollima.

Victims of the GhostCall campaign span several infected macOS hosts located in Japan, Italy, France, Singapore, Turkey, Spain, Sweden, India, and Hong Kong, whereas Japan and Australia have been identified as the major hunting grounds for the GhostHire campaign.

"GhostCall heavily targets the macOS devices of executives at tech companies and in the venture capital sector by directly approaching targets via platforms like Telegram, and inviting potential victims to investment-related meetings linked to Zoom-like phishing websites," Kaspersky researchers Sojun Ryu and Omar Amin said.

"The victim would join a fake call with genuine recordings of this threat's other actual victims rather than deepfakes. The call proceeds smoothly to then encourages the user to update the Zoom client with a script. Eventually, the script downloads ZIP files that result in infection chains deployed on an infected host."

On the other hand, GhostHire involves approaching prospective targets, such as Web3 developers, on Telegram and luring them into downloading and executing a booby-trapped GitHub repository under the pretext of completing a skill assessment within 30 minutes of sharing the link, so as to ensure a higher success rate of infection.

Once installed, the project is designed to download a malicious payload onto the developer's system based on the operating system used. The Russian cybersecurity company said it has been keeping tabs on the two campaigns since April 2025, although it's assessed that GhostCall has been active since mid-2023, likely following the RustBucket campaign.

RustBucket marked the adversarial collective's major pivot to targeting macOS systems, following which other campaigns have leveraged malware families like KANDYKORN, ObjCShellz, and TodoSwift.

It's worth noting that various aspects of the activity have been documented extensively over the past year by multiple security vendors, including Microsoft, Huntress, Field Effect, Hun

Source: The Hacker News