(MENAFN- Golin Mena) October 29, 2025

At the Security Analyst Summit in Thailand, Kaspersky’s Global Research and Analysis Team (GReAT) unveiled the latest BlueNoroff APT activity through two highly targeted malicious campaigns ‘GhostCall’ and ‘GhostHire’. The ongoing operations have been targeting Web3 and cryptocurrency organizations across India, Turkiye, Australia and other countries in Europe and Asia since at least April 2025.

BlueNoroff, a subdivision of the notorious Lazarus group, continues to expand its signature ‘SnatchCrypto’ campaign, a financially motivated operation which targets crypto industries worldwide. The newly described GhostCall and GhostHire campaigns employ new infiltration techniques and customized malware to compromise blockchain developers and executives. These attacks affect macOS and Windows systems as primary targets and are managed through a unified command-and-control infrastructure.

The GhostCall campaign focuses on macOS devices, beginning with a highly sophisticated and personalized social engineering attack. The attackers reach out via Telegram, impersonating venture capitalists and in some cases using compromised accounts of real entrepreneurs and startup founders to promote investment or partnership opportunities. The victims are invited to fake investment meetings on phishing sites mimicking Zoom or Microsoft Teams during which they are prompted to “update” their client to fix an audio issue, this action downloads a malicious script and deploys a malware infection on the device.

“This campaign relied on deliberate and carefully planned deception. Attackers replayed videos of previous victims during staged meetings to make the interaction appear like a real call and manipulate new targets. The data collected in this process is then used not only against the initial victim but also exploited to enable subsequent and supply-chain attacks, leveraging established trust relationships to compromise a broader range of organizations and users,” comments Sojun Ryu, security researcher at Kaspersky GReAT.

Attackers deployed seven multi-stage execution chains, four which were previously unseen, to distribute a range of new customized payloads, including crypto stealers, browser credential stealers, secrets stealer, and Telegram credential stealers.

In the GhostHire campaign the APT targets blockchain developers by posing as recruiters. Victims are tricked into downloading and running a GitHub repository containing malware, presented as a skill assessment. GhostHire shares its infrastructure and tools with the GhostCall campaign, but instead of using video calls, it focuses on approaching hands-on developers and engineers through fake recruitment. After initial contact, victims are added to a Telegram bot that delivers either a ZIP file or a GitHub link, along with a short deadline to complete the task. Once executed, the malware installs itself on the victim’s machine, customized for the operating system.

MENAFN30102025005513016764ID1110268567