North Korea-aligned threat actor BlueNoroff, also known under aliases APT38 and TA444, has resurfaced with two new campaigns dubbed “GhostCall” and “GhostHire,” targeting executives, Web3 developers, and blockchain professionals.
According to Kaspersky’s Securelist researchers, the campaigns rely on social engineering via platforms like Telegram and LinkedIn to send fake meeting invites and eventually deliver multi-stage malware chains to compromise macOS and Windows hosts.
BlueNoroff is a financially motivated subgroup of the Lazarus Group, North Korea’s state-sponsored cyber unit linked to the Reconnaissance General Bureau (RGB), and is believed to operate the long-running SnatchCrypto campaign, of which GhostCall and GhostHire appear to be the latest extensions.
Researchers noted that the new campaigns highlight BlueNoroff’s shift toward modular malware, cross-platform threats, and highly tailored targeting of the blockchain space. The malware samples were found written in multiple programming languages, including Go, Rust, Nim, and AppleScript, reflecting an added technical layer in the group’s operations.
Compromise through fake “investor meetings”
In the GhostCall campaign, BlueNoroff poses as venture capitalists or startup founders seeking to “invest” in blockchain projects. The attackers set up fake video meetings via platforms like Zoom or Teams, luring victims into a false sense of legitimacy.
During or after these calls, the victim is asked to install a supposed “update” or “plugin” to improve connection quality. The file, of course, is malicious–triggering a chain of implants such as DownTroy, CosmicDoor, and Rootroy, each performing specialized tasks like credential theft, keylogging, or persistence.
Once inside the target environment, the malware seeks out crypto wallet data, SSH keys, and project credentials–anything that could enable financial theft or lateral movement within corporate infrastructure. The campaign also deploys exfiltration routines to extract sensitive project data back to BlueNoroff’s servers, often obfuscated with custom encryption and encoded in hexadecimal to avoid detection.
Securelist researchers emphasized that GhostCall marks a major leap in operational stealth compared to earlier BlueNoroff operations. The attackers use multiple layers of staging and dynamic command-and-control switching, allowing the malware to remain dormant until it detects activity in crypto-related directories or developer tools.
Fake recruiters with real malware
The GhostHire operation takes a different approach, targeting Web3 developers through fake job offers and recruitment tests. Here BlueNoroff sets up fake developer tasks, often hosted on GitHub or shared via Telegram bots. “Based on historical attack cases of this campaign, we assess with medium confidence that this attack flow involving Telegram and GitHub represents the latest phase, which started no later than April this year,” researchers said.
Victims are told to complete a “coding challenge” for a potential employer, only to receive a ZIP archive or Git repository containing the malware. Once executed, GhostHire deploys system reconnaissance modules that determine the victim’s OS–macOS or Windows–and then selectively downloads the right payload.
These payloads share the same modular DNA as GhostCall’s tools, designed to escalate privileges, capture credentials, and open backdoors. Researchers noted that the social engineering component is particularly convincing, with attackers sometimes maintaining week-long correspondence to earn the victim’s trust before deploying the payload. Recently, BlueNoroff and its parent, Lazarus Group, have expanded their operations with the $1.5 billion Bybit heist, npm-supply-chain attacks, and Mac-focused malware targeting blockchain developers.