Researchers at Kaspersky Lab reported new targeted attacks by the BlueNoroff group. The malicious GhostCall and GhostHire campaigns have been observed since April 2025, and their targets include cryptocurrency and Web3 organizations in India, Turkey, Australia, and other countries in Europe and Asia.
Researchers report that BlueNoroff (part of the North Korean Lazarus hacking group) continues to expand its SnatchCrypto campaign. It targets organizations that work with cryptocurrencies, smart contracts, DeFi services, blockchain, and the fintech industry. In GhostCall and GhostHire, new intrusion techniques and specialized malware are used to compromise developers and executives of blockchain projects.
GhostCall
The campaign targets devices running macOS and begins with a sophisticated, personalized social-engineering attack.
Attackers contact victims via Telegram, posing as venture investors. In some cases, they use compromised accounts of real entrepreneurs and startup founders. Victims are invited to fake investment meetings on phishing sites that mimic Zoom or Microsoft Teams.
During such meetings, users are asked to “update” the client application to fix an audio issue. In reality, this leads to the download of a malicious script and the device being infected with malware.
“The campaign was built on a meticulously planned deception. During staged meetings, the attackers played videos featuring previous victims to make it look like a real live call. This allowed them to manipulate new potential victims. The collected data was used not only against the initial victim but also in supply-chain attacks. The attackers leveraged established trust relationships to compromise a broader range of organizations and users,” explains Sojun Ryu, a Kaspersky GReAT expert.
As part of the GhostCall campaign, the attackers distributed new malware, including tools for stealing cryptocurrency, sensitive data, and browser and Telegram credentials, via seven multi-stage attack chains, four of which were previously unknown to security researchers.
GhostHire
This campaign targets blockchain developers: attackers gain their trust by posing as recruiters. The victims are tricked—under the guise of a skills assessment test—into downloading and running a repository from GitHub that hides malware inside.
The GhostHire and GhostCall campaigns share the same infrastructure and tools, but in GhostHire the attackers use fake job postings instead of video calls. If a victim connects to the Telegram bot linked in the posting, they receive a ZIP file or a link to GitHub.
It is noted that the attackers pressure the developer to open the received files as quickly as possible, giving them little time to complete the task. If the victim takes the bait, malware will be installed on their device.
Experts report that the use of generative AI enables BlueNoroff to accelerate malware development and refine their attack techniques while expanding their scale. For example, the attackers have adopted new programming languages and added additional features, complicating detection and analysis.
“Unlike previous campaigns, this time the attackers aren’t just stealing cryptocurrency and browser credentials. Generative AI allows them to obtain and analyze the information they need faster, which in turn lets them target more precisely and expand the scale of their attacks. We hope our research will help prevent further damage,” says Omar Amin, a senior expert at Kaspersky GReAT.