Kaspersky researchers have identified two coordinated BlueNoroff operations—GhostCall and GhostHire—active since April 2025 and aimed primarily at cryptocurrency and Web3 companies in India, Turkey, Australia, and multiple countries across Europe and Asia. The threat actor blends persuasive social engineering with multi‑stage delivery chains to compromise macOS endpoints and exfiltrate digital assets and credentials.
BlueNoroff’s evolution: from SnatchCrypto to macOS developer targeting
BlueNoroff is widely tracked as a sub‑cluster of the North Korean Lazarus Group and is known for the SnatchCrypto campaign targeting firms involved in cryptocurrencies, smart contracts, DeFi, blockchain infrastructure, and fintech. According to Kaspersky, the group is increasingly prioritizing the compromise of blockchain developers and project leaders, deploying specialized loaders and modular implants designed to steal funds and pivot deeper into organizational infrastructure.
Social engineering: Telegram outreach and staged Zoom/Teams “updates”
The intrusion typically starts with spear‑phishing over Telegram, where operators pose as venture investors. In some cases, compromised accounts of legitimate entrepreneurs are used to increase credibility. Targets are directed to counterfeit pages spoofing Zoom or Microsoft Teams for “investment meetings.” During a staged call, the victim is prompted to “update the client” to fix audio, which actually triggers a script that delivers the malware.
Researchers note a sophisticated touch: attackers may insert video snippets of prior victims to simulate a live conversation. Information gleaned from these interactions is then leveraged to conduct supply‑chain expansion, widening reach to partners and adjacent organizations that trust the initial victim.
GhostCall vs. GhostHire: shared tooling, distinct lures
Both campaigns appear to share infrastructure and tooling but differ in initial approach. In GhostCall, Kaspersky observed seven multi‑stage infection chains, including four previously undocumented. The priority victims are blockchain developers. Adversaries act as “recruiters,” offering a “test assignment” and pressuring candidates to clone and run a GitHub repository seeded with malicious code.
In GhostHire, the lure shifts to fake job postings. Candidates are funneled to a Telegram bot that provides a ZIP archive or a GitHub link. A common persuasion tactic is artificial time pressure, nudging users to open files without due diligence. The end goal on macOS is to deploy malware that steals cryptocurrency, secrets, and credentials from browsers and Telegram, enabling account takeover and fund diversion.
Generative AI as a force multiplier for malware development
Kaspersky’s GReAT team assesses that BlueNoroff is actively leveraging generative AI to accelerate malware R&D. By integrating new programming languages and features, the group complicates static and behavioral analysis, rapidly tunes lures for specific targets, scales operations, and adapts tactics swiftly when defenses detect activity.
Defensive guidance for crypto and Web3 organizations
Validate counterparties via a second channel. Confirm the identity of “investors” or “recruiters” through official domains or verified contacts. Avoid external meeting links and unsolicited “client updates.”
Lock down macOS software installation. Enforce MDM and configuration profiles to block unsigned apps and restrict software sources to Apple or vetted vendors. Maintain patch hygiene across browsers, wallet extensions, and developer tools.
Isolate developer workflows. Execute “test tasks” in disposable, isolated environments (containers or VMs) with tokens and wallets disabled. Apply least‑privilege, secrets management, and code‑signing verification for third‑party repositories.
Harden communications and detection. Monitor Telegram links and shorteners, block spoofed Zoom/Teams domains, and deploy EDR/XDR with robust macOS telemetry and behavior analytics.
Protect identities and assets. Use FIDO2 hardware keys for SSO, segment wallets, enforce MFA, and monitor for anomalous access and high‑risk transactions.
The GhostCall and GhostHire activity underscores a mature blend of social engineering and technical tradecraft against the macOS ecosystem and the crypto sector. With adversaries exploiting trust relationships and using generative AI to iterate quickly, crypto and Web3 organizations should revisit counterpart verification, software‑installation policies, and developer environment isolation. Early adoption of source‑validation controls, strong authentication, and behavioral detection materially reduces compromise risk and potential loss of digital assets.
