At the Security Analyst Summit in Thailand, Kaspersky’s Global Research and Analysis Team (GReAT) revealed the latest BlueNoroff APT activity, detailing two highly targeted malicious campaigns: GhostCall and GhostHire. These operations have been targeting Web3 and cryptocurrency organizations across India, Turkey, Australia, and other countries in Europe and Asia since at least April 2025.
BlueNoroff Expands SnatchCrypto Campaign
BlueNoroff, a subdivision of the notorious Lazarus Group, continues to expand its signature SnatchCrypto campaign, a financially motivated operation targeting crypto industries worldwide. The newly described GhostCall and GhostHire campaigns employ advanced infiltration techniques and customized malware to compromise blockchain developers and executives. Both macOS and Windows systems are primary targets, managed through a unified command-and-control infrastructure.
GhostCall: Sophisticated macOS Attacks
The GhostCall campaign focuses on macOS devices, starting with highly personalized social engineering attacks. Attackers reach out via Telegram, impersonating venture capitalists or even using compromised accounts of real entrepreneurs and startup founders. Victims are invited to fake investment meetings on phishing sites mimicking Zoom or Microsoft Teams. During these meetings, users are prompted to “update” their client to fix an audio issue, which downloads a malicious script and installs malware.
“This campaign relied on deliberate and carefully planned deception. Attackers replayed videos of previous victims during staged meetings to make the interaction appear like a real call and manipulate new targets. The data collected is then used to enable subsequent supply-chain attacks,” said Sojun Ryu, Security Researcher at Kaspersky GReAT.
The attackers deployed seven multi-stage execution chains, including four previously unseen, distributing a range of new customized payloads such as crypto stealers, browser credential stealers, secrets stealers, and Telegram credential stealers.
GhostHire: Targeting Blockchain Developers
In the GhostHire campaign, BlueNoroff targets blockchain developers by posing as recruiters. Victims are tricked into downloading and running malware disguised as a GitHub repository skill assessment. GhostHire shares infrastructure and tools with GhostCall but focuses on hands-on developers and engineers, delivering malware via Telegram bots containing ZIP files or GitHub links with tight deadlines. The malware installs itself according to the victim’s operating system.
AI-Driven Malware Escalation
BlueNoroff leverages generative AI to accelerate malware development and refine attack techniques. New programming languages and additional features increase the complexity and scale of attacks, complicating detection and analysis.
“Since previous campaigns, the actor’s targeting strategy has evolved beyond simple crypto and browser credential theft. AI has accelerated malware development, reduced operational overhead, and expanded the scope of attacks by combining compromised data with analytical capabilities,” said Omar Amin, Senior Security Researcher at Kaspersky GReAT.
Best Practices to Mitigate GhostCall and GhostHire
Organizations are advised to follow these measures:
-
Verify the identity of every new contact, especially on Telegram, LinkedIn, or other social platforms, and use secure corporate channels for sensitive communication.
-
Consider the possibility of compromised accounts; verify identities through alternative channels before opening files or running scripts.
-
Deploy Kaspersky Next solutions for real-time protection, EDR/XDR visibility, investigation, and response.
-
Adopt managed security services such as Compromise Assessment, Managed Detection and Response (MDR), and Incident Response.
-
Provide InfoSec teams with Kaspersky Threat Intelligence for full incident lifecycle visibility and timely identification of cyber risks.
