Threat actors tied to North Korea have been observed targeting the Web3 and blockchain sectors as part of twin campaigns tracked as GhostCall and GhostHire.
According to Kaspersky, the campaigns are part of a broader operation called SnatchCrypto that has been underway since at least 2017. The activity is attributed to a Lazarus Group sub-cluster called BlueNoroff, which is also known as APT38, CageyChameleon, CryptoCore, Genie Spider, Nickel Gladstone, Sapphire Sleet (formerly Copernicium), and Stardust Chollima.
Victims of the GhostCall campaign span several infected macOS hosts located in Japan, Italy, France, Singapore, Turkey, Spain, Sweden, India, and Hong Kong, whereas Japan and Australia have been identified as the major hunting grounds for the GhostHire campaign.
“GhostCall heavily targets the macOS devices of executives at tech companies and in the venture capital sector by directly approaching targets via platforms like Telegram, and inviting potential victims to investment-related meetings linked to Zoom-like phishing websites,” Kaspersky said.
“The victim would join a fake call with genuine recordings of this threat’s other actual victims rather than deepfakes. The call proceeds smoothly to then encourages the user to update the Zoom client with a script. Eventually, the script downloads ZIP files that result in infection chains deployed on an infected host.”
On the other hand, GhostHire involves approaching prospective targets, such as Web3 developers, on Telegram and luring them into downloading and executing a booby-trapped GitHub repository under the pretext of completing a skill assessment within 30 minutes of sharing the link, so as to ensure a higher success rate of infection.
Once installed, the project is designed to download a malicious payload onto the developer’s system based on the operating system used. The Russian cybersecurity company said it has been keeping tabs on the two campaigns since April 2025, although it’s assessed that GhostCall has been active since mid-2023, likely following the RustBucket campaign.
RustBucket marked the adversarial collective’s major pivot to targeting macOS systems, following which other campaigns have leveraged malware families like KANDYKORN, ObjCShellz, and TodoSwift.
It’s worth noting that various aspects of the activity have been documented extensively over the past year by multiple security vendors, including Microsoft, Huntress, Field Effect, Huntabil.IT, Validin, and SentinelOne.
The GhostCall Campaign
Targets who land on the fake Zoom pages as part of the GhostCall campaign are initially served a bogus page that gives the illusion of a live call, only to display an error message three to five seconds later, urging them to download a Zoom software development kit (SDK) to address a purported issue with continuing the call.
Should the victims fall for the trap and attempt to update the SDK by clicking on the “Update Now” option, it leads to the download of a malicious…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
