{"id":5584,"date":"2025-10-29T11:43:47","date_gmt":"2025-10-29T11:43:47","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5584"},"modified":"2025-10-29T11:43:47","modified_gmt":"2025-10-29T11:43:47","slug":"bluenoroff-reemerges-with-new-campaigns-for-crypto-theft-and-espionage","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5584","title":{"rendered":"BlueNoroff reemerges with new campaigns for crypto theft and espionage"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>North Korea-aligned threat actor BlueNoroff, also known under aliases APT38 and TA444, has resurfaced with two new campaigns dubbed \u201cGhostCall\u201d and \u201cGhostHire,\u201d targeting executives, Web3 developers, and blockchain professionals.<\/p>\n<p>According to Kaspersky\u2019s Securelist researchers, the campaigns rely on social engineering via platforms like Telegram and LinkedIn to send fake meeting invites and eventually deliver multi-stage malware chains to compromise macOS and Windows hosts.<\/p>\n<p>BlueNoroff is a <a href=\"https:\/\/www.csoonline.com\/article\/560979\/kaspersky-lab-reveals-direct-link-between-banking-heist-hackers-and-north-korea.html\">financially motivated subgroup<\/a> of the Lazarus Group, North Korea\u2019s state-sponsored cyber unit linked to the Reconnaissance General Bureau (RGB), and is believed to operate the long-running SnatchCrypto campaign, of which GhostCall and GhostHire appear to be the latest extensions.<\/p>\n<p>Researchers noted that the new campaigns highlight BlueNoroff\u2019s shift toward modular malware, cross-platform threats, and highly tailored targeting of the blockchain space. The malware samples were found written in multiple programming languages, including Go, Rust, Nim, and AppleScript, reflecting an added technical layer in the group\u2019s operations.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Compromise through fake \u201cinvestor meetings\u201d<\/h2>\n<p>In the GhostCall campaign, BlueNoroff poses as venture capitalists or startup founders seeking to \u201cinvest\u201d in blockchain projects. The attackers set up fake video meetings via platforms like Zoom or Teams, luring victims into a false sense of legitimacy.<\/p>\n<p>During or after these calls, the victim is asked to install a supposed \u201cupdate\u201d or \u201cplugin\u201d to improve connection quality. The file, of course, is malicious\u2013triggering a chain of implants such as DownTroy, CosmicDoor, and Rootroy, each performing specialized tasks like credential theft, keylogging, or persistence.<\/p>\n<p>Once inside the target environment, the malware seeks out crypto wallet data, SSH keys, and project credentials\u2013anything that could enable financial theft or lateral movement within corporate infrastructure. The campaign also deploys exfiltration routines to extract sensitive project data back to BlueNoroff\u2019s servers, often obfuscated with custom encryption and encoded in hexadecimal to avoid detection.<\/p>\n<p>Securelist researchers emphasized that GhostCall marks a major leap in operational stealth compared to earlier BlueNoroff operations. The attackers use multiple layers of staging and dynamic command-and-control switching, allowing the malware to remain dormant until it detects activity in crypto-related directories or developer tools.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Fake recruiters with real malware<\/h2>\n<p>The GhostHire operation takes a different approach, targeting Web3 developers through fake job offers and recruitment tests. Here BlueNoroff sets up fake developer tasks, often hosted on GitHub or shared via Telegram bots. \u201cBased on historical attack cases of this campaign, we assess with medium confidence that this attack flow involving Telegram and GitHub represents the latest phase, which started no later than April this year,\u201d researchers<a href=\"https:\/\/securelist.com\/bluenoroff-apt-campaigns-ghostcall-and-ghosthire\/117842\/\" target=\"_blank\" rel=\"noopener\"> said<\/a>.<\/p>\n<p>Victims are told to complete a \u201ccoding challenge\u201d for a potential employer, only to receive a ZIP archive or Git repository containing the malware. Once executed, GhostHire deploys system reconnaissance modules that determine the victim\u2019s OS\u2013macOS or Windows\u2013and then selectively downloads the right payload.<\/p>\n<p>These payloads share the same modular DNA as GhostCall\u2019s tools, designed to escalate privileges, capture credentials, and open backdoors. Researchers noted that the social engineering component is particularly convincing, with attackers sometimes maintaining week-long correspondence to earn the victim\u2019s trust before deploying the payload. Recently, BlueNoroff and its parent, Lazarus Group, have expanded their operations with the <a href=\"https:\/\/www.csoonline.com\/article\/3831315\/bybits-1-5b-hack-linked-to-north-koreas-lazarus-group.html\">$1.5 billion Bybit heist<\/a>, npm-supply-chain <a href=\"https:\/\/socket.dev\/blog\/north-korean-apt-lazarus-targets-developers-with-malicious-npm-package\" target=\"_blank\" rel=\"noopener\">attacks<\/a>, and <a href=\"https:\/\/www.csoonline.com\/article\/4009603\/north-koreas-bluenoroff-uses-ai-deepfakes-to-push-mac-malware-in-fake-zoom-calls.html\">Mac-focused malware <\/a>targeting blockchain developers.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>North Korea-aligned threat actor BlueNoroff, also known under aliases APT38 and TA444, has resurfaced with two new campaigns dubbed \u201cGhostCall\u201d and \u201cGhostHire,\u201d targeting executives, Web3 developers, and blockchain professionals. According to Kaspersky\u2019s Securelist researchers, the campaigns rely on social engineering via platforms like Telegram and LinkedIn to send fake meeting invites and eventually deliver multi-stage [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5585,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5584","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5584"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5584"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5584\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5585"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5584"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5584"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5584"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}