At the Security Analyst Summit in Thailand, Kaspersky’s Global Research and Analysis Team (GReAT) revealed the latest wave of BlueNoroff APT activity through two newly identified campaigns — GhostCall and GhostHire. The sophisticated operations, active since at least April 2025, have been targeting Web3 and cryptocurrency organisations across India, Turkiye, Australia, and multiple countries in Europe and Asia.
BlueNoroff, a subdivision of the notorious Lazarus Group, has expanded its long-running SnatchCrypto campaign — a financially motivated initiative targeting the global crypto industry. The new GhostCall and GhostHire operations employ advanced infiltration techniques and custom-built malware designed to compromise blockchain developers and executives on macOS and Windows systems through a unified command-and-control infrastructure.
The GhostCall campaign primarily targets macOS users, beginning with highly personalised social engineering attacks. Threat actors initiate contact through Telegram, impersonating venture capitalists and, in some cases, using compromised accounts of real entrepreneurs to promote false investment or partnership opportunities. Victims are invited to fake investment meetings on phishing websites that mimic Zoom or Microsoft Teams, where they are prompted to “update” their client — triggering the download of a malicious script.
“This campaign relied on deliberate and carefully planned deception. Attackers replayed videos of previous victims during staged meetings to make the interaction appear like a real call and manipulate new targets. The data collected in this process is then used not only against the initial victim but also exploited to enable subsequent and supply-chain attacks, leveraging established trust relationships to compromise a broader range of organisations and users,” comments Sojun Ryu, security researcher at Kaspersky GReAT.
The investigation revealed seven multi-stage execution chains, four of which were previously unknown, distributing customised payloads such as crypto stealers, browser credential stealers, secrets stealers, and Telegram credential stealers.
In contrast, the GhostHire campaign targets blockchain developers through fake recruitment schemes. Posing as recruiters, attackers send victims GitHub repositories containing malware disguised as coding assessments. The campaign shares infrastructure and tools with GhostCall but relies on Telegram bots to deliver ZIP files or GitHub links with short completion deadlines. Once executed, the malware installs itself based on the operating system, providing attackers with persistent access.
The use of generative AI has significantly enhanced BlueNoroff’s ability to scale and refine its attack methodologies. The group has adopted new programming languages, introduced additional malware features, and leveraged AI to analyze stolen data and identify high-value targets.
“Since its previous campaigns, the threat actor’s targeting strategy has evolved beyond simple cryptocurrency and browser credential theft. The use of generative AI has significantly accelerated this process, enabling easier malware development with reduced operational overhead. This AI-driven approach helps to fill the gaps in available information, enabling more focused targeting. By combining compromised data with AI’s analytical capabilities, the scope of these attacks has expanded. We hope our research will contribute to preventing further harm,” comments Omar Amin, senior security researcher at Kaspersky GReAT.
To defend against campaigns like GhostCall and GhostHire, Kaspersky recommends:
-
Verifying all investment or recruitment proposals and confirming the identity of contacts via trusted corporate channels.
-
Treating all unsolicited communication with caution, even from known contacts, as their accounts may be compromised.
-
Using comprehensive security solutions such as Kaspersky Next, which provides EDR/XDR capabilities for real-time protection and visibility.
-
Leveraging managed services like Kaspersky Managed Detection and Response (MDR), Incident Response, and Compromise Assessment to strengthen security operations.
-
Equipping InfoSec teams with Kaspersky Threat Intelligence for actionable insights and early risk detection.
Kaspersky’s latest findings underline the growing convergence of AI and cybercrime — and the escalating risks facing the Web3 and digital asset sectors.
