The most recent BlueNoroff APT activity was revealed by Kaspersky’s Global Research and Analysis Team (GReAT) during the Security Analyst Summit in Thailand using the highly targeted harmful operations “GhostCall” and “GhostHire.”
Since at least April 2025, the ongoing activities have targeted Web3 and cryptocurrency businesses in Turkey, India, Australia, and other European and Asian nations.
BlueNoroff, a part of the infamous Lazarus organization, keeps growing its well-known “SnatchCrypto” campaign, a financially driven endeavor that targets cryptocurrency markets across the globe.
In order to compromise blockchain developers and executives, the recently reported GhostCall and GhostHire operations use specialized malware and innovative penetration techniques. These attacks, which are controlled by a single command-and-control infrastructure, primarily target Windows and macOS systems.
The GhostCall campaign, which targets macOS devices, starts with an extremely complex and customized social engineering attack.
To promote investment or collaboration prospects, the attackers use Telegram, posing as venture capitalists and, in certain situations, exploiting compromised accounts of actual entrepreneurs and startup founders.
On phishing websites that imitate Zoom or Microsoft Teams, the victims are called to fictitious investment meetings where they are asked to “update” their client to resolve an audio problem. This step downloads a malicious script and infects the device with malware.
“This campaign relied on deliberate and carefully planned deception. Attackers replayed videos of previous victims during staged meetings to make the interaction appear like a real call and manipulate new targets. The data collected in this process is then used not only against the initial victim but also exploited to enable subsequent and supply-chain attacks, leveraging established trust relationships to compromise a broader range of organizations and users,”
comments Sojun Ryu, security researcher at Kaspersky GReAT.
