Two campaigns by the BlueNoroff APT group target developers and executives in the crypto industry.
Experts from the Kaspersky Global Research and Analysis Team (GReAT) talked at the Security Analyst Summit 2025 about the activities of the BlueNoroff APT group, which we believe to be a subgroup of Lazarus. In particular, they described in detail two campaigns targeting developers and executives in the crypto industry: GhostCall and GhostHire.
The BlueNoroff actors are primarily interested in financial gain, and currently prefer to attack employees of organizations working with blockchain. Targets are chosen carefully: the attackers clearly prepare thoroughly for each attack. The GhostCall and GhostHire campaigns are very different from each other, but they depend on a common management infrastructure, which is why our experts combined them into a single report.
The GhostCall campaign mainly targets executives of various organizations. The attackers attempt to infect their computers with malware designed to steal cryptocurrency, credentials, and secrets that the victims may be working with. The main platform that GhostCall operators are interested in is macOS — probably because Apple devices are particularly popular among the management of modern companies.
GhostCall attacks begin with fairly sophisticated social engineering: attackers pretend to be investors (sometimes using stolen accounts of real entrepreneurs and even fragments of real video calls with them) and try to arrange a meeting to discuss partnership or investment. The goal is to lure the victim to a website that mimics Microsoft Teams or Zoom. A standard trap awaits them there: the website displays a notification about the need to update the client or fix some technical problem. To do this, the victim is asked to download and run a file, which leads to the infection of the computer.
Details about the various infection chains (there are at least seven in this campaign, four of which our experts haven’t encountered before), along with indicators of compromise, can be found in the blogpost on the Securelist website.
GhostHire is a campaign targeting developers working with blockchain. The ultimate goal is the same — to infect computers with malware — but the maneuver is different. In this case, attackers lure victims with offers of employment with favorable terms. During negotiations, they give the developer the address of a Telegram bot, which provides the victim with a link to GitHub with a test task, or offers to download it in an archive. To prevent the developer from having time to think it over, the task has a fairly tight deadline. While performing the test, the victim’s computer becomes infected with malware.
The tools used by attackers in the GhostHire campaign and their indicators of compromise can also be found in the post on the Securelist blog.
Although GhostCall and GhostHire target specific developers and company executives, attackers are primarily interested in the working infrastructure. Therefore, the task of protecting against these attacks falls on the shoulders of corporate IT security specialists. We therefore recommend:
Periodically raising awareness among all company employees about the tricks used by modern attackers. Training should take into account the nature of the work of specific specialists, including developers and managers. Such training can be organized using a specialized online platform, such as Kaspersky Automated Security Awareness Platform.
Use modern security solutions on all corporate devices that employees use to communicate with the outside world.
