Executive Summary

On October 28, 2025, Kaspersky's GReAT team exposed two new, sophisticated cyber-espionage campaigns, 'GhostCall' and 'GhostHire,' attributed to the North Korean state-sponsored threat actor BlueNoroff (also known as APT38 or Sapphire Sleet). These financially motivated operations target executives and developers in the Web3, cryptocurrency, and venture capital industries. The campaigns demonstrate a significant evolution in the group's tactics, including the use of generative AI for social engineering and malware development, a multi-platform approach targeting both Windows and macOS, and a new suite of custom malware. The ultimate goal is the theft of cryptocurrency and other financial assets.

Threat Overview

BlueNoroff, a subgroup of the infamous Lazarus Group, specializes in financially motivated attacks against financial institutions and the cryptocurrency industry. These new campaigns showcase their refined TTPs:

• 'GhostCall' Campaign: This campaign targets high-level executives. The attackers impersonate venture capitalists and invite targets to fake online meetings on Zoom or Teams. During the fake call, which may use deepfake or pre-recorded video, the victim is prompted to download a supposed software update, which is actually a malware loader.
• 'GhostHire' Campaign: This campaign targets developers in the Web3 space with fake job offers and technical assessments, using social engineering to deliver malicious payloads.

Both campaigns leverage a new malware ecosystem designed for espionage and theft. A key finding is BlueNoroff's use of generative AI to speed up the malware creation process, allowing them to produce more varied and efficient tools. The campaigns have been active since at least April 2025, with victims identified globally.

Technical Analysis

The attack chain is multi-staged and demonstrates a high level of operational security:

1. Initial Contact (T1566.002 - Phishing: Spearphishing Link): The attack begins with highly personalized outreach on platforms like LinkedIn, targeting specific individuals.
2. Social Engineering: The attackers engage in prolonged conversations to build trust before delivering the malicious payload, often disguised as a meeting agenda, a software update for a conference call, or a coding test.
3. Payload Delivery & Execution: The victim is tricked into running a malicious script or executable. The malware suite is multi-platform, with variants for both Windows and macOS.
4. Credential and Data Theft: The malware is designed to steal a wide range of data, including:
   • Cryptocurrency wallet files and browser extension data.
   • Credentials from the macOS Keychain (T1555.001 - Credentials from Password Stores: Keychain).
   • Data from development tools and collaboration platforms like OpenAI.
   • General system information and credentials.
5. Exfiltration: The stolen data is exfiltrated to attacker-controlled infrastructure for later use in financial theft.

Impact Assessment

A successful compromise by BlueNoroff can lead to catastrophic financial losses for both individuals and companies.

• Theft of Corporate and Personal Funds: The primary goal is to drain cryptocurrency wallets and gain access to financial accounts.
• Intellectual Property Theft: For venture capital firms, the theft of investment strategies, portfolio details, and proprietary research is a significant risk.
• Reputational Damage: A public breach can destroy trust in a cryptocurrency project or investment firm.
• Gateway to Further Attacks: The stolen credentials and information can be used to launch further attacks against the victim's organization or their partners.

Detection & Response

D3FEND Technique: Detection requires monitoring for suspicious process chains using D3-PCA - Process Creation Analysis and analyzing user behavior with D3-UBA - User Behavior Analysis.

• Endpoint Monitoring (macOS & Windows): Deploy EDR solutions on all endpoints, including macOS, to detect the execution of unsigned applications, suspicious scripts, and processes accessing sensitive locations like the Keychain or cryptocurrency wallet directories.
• Scrutinize Communications: Security teams and high-risk employees should be trained to be highly skeptical of unsolicited contact, especially those involving urgent requests to download software or open documents.
• Network Traffic Analysis: Monitor for connections to unknown or suspicious domains, especially from processes that should not be making network connections.
• Threat Intelligence: Subscribe to threat intelligence feeds to get the latest IOCs and TTPs associated with BlueNoroff.

Mitigation

D3FEND Countermeasure: A combination of user-focused defenses (Harden) and technical controls (Detect) is necessary. Key techniques include D3-ACH - Application Configuration Hardening and robust user training.

• User Training: This is the most critical mitigation. Train executives, developers, and finance personnel to recognize sophisticated social engineering tactics. All unsolicited meeting requests or job offers from unknown parties should be treated with extreme caution.
• Application Control: Use application allowlisting to prevent the execution of unauthorized or unsigned software. This is particularly effective on both Windows and macOS.
• Hardware Wallets: Encourage the use of hardware wallets for storing significant amounts of cryptocurrency, as they are largely immune to malware-based theft.
• Multi-Factor Authentication (MFA): Enforce MFA on all critical accounts, including email, financial platforms, and code repositories.
• Endpoint Hardening: Harden endpoint configurations to restrict script execution and disable unnecessary services.