At the Security Analyst Summit in Thailand, Kaspersky’s Global Research and Analysis Team (GReAT) unveiled the latest BlueNoroff APT activity through two highly targeted malicious campaigns ‘GhostCall’ and ‘GhostHire’. The ongoing operations have been targeting Web3 and cryptocurrency organizations across India, Turkey, Australia and other countries in Europe and Asia since at least April 2025, a press release said.
BlueNoroff, a Lazarus subgroup, expanded its SnatchCrypto campaign through GhostCall and GhostHire, targeting blockchain developers and executives on macOS and Windows. GhostCall uses advanced social engineering via Telegram, impersonating venture capitalists to lure victims into fake meetings on phishing sites, prompting “updates” that install malware and enable system compromise.
“This campaign relied on deliberate and carefully planned deception. Attackers replayed videos of previous victims during staged meetings to make the interaction appear like a real call and manipulate new targets. The data collected in this process is then used not only against the initial victim but also exploited to enable subsequent and supply-chain attacks, leveraging established trust relationships to compromise a broader range of organizations and users,” comments Sojun Ryu, security researcher at Kaspersky GReAT.
Attackers used seven multi-stage execution chains, including four novel ones, to deploy bespoke crypto stealers, browser and secrets stealers, and Telegram credential theft. GhostHire lures developers with fake recruiter GitHub challenges; GhostCall uses phishing video-call “updates.” BlueNoroff leverages generative AI to speed development, add languages and features, and scale operations globally aggressively.
“Since its previous campaigns, the threat actor’s targeting strategy has evolved beyond simple cryptocurrency and browser credential theft. The use of generative AI has significantly accelerated this process, enabling easier malware development with reduced operational overhead. This AI-driven approach helps to fill the gaps in available information, enabling more focused targeting. By combining compromised data with AI’s analytical capabilities, the scope of these attacks has expanded. We hope our research will contribute to preventing further harm,” comments Omar Amin, senior security researcher at Kaspersky GReAT.
