Unveiling GhostCall and GhostHire: BlueNoroff’s Latest Cyber Threats Targeting Web3 and Blockchain Sectors
Article Text:
Cybersecurity researchers have recently uncovered two sophisticated cyber campaigns, GhostCall and GhostHire, orchestrated by the North Korean-affiliated threat group known as BlueNoroff. These operations are part of a broader initiative called SnatchCrypto, active since at least 2017, with a primary focus on infiltrating the Web3 and blockchain industries.
GhostCall Campaign:
The GhostCall campaign predominantly targets macOS devices used by executives in technology firms and venture capital sectors. Attackers initiate contact through platforms like Telegram, inviting victims to investment-related meetings via counterfeit Zoom-like phishing websites. Upon joining these fake calls, victims encounter genuine recordings of previous victims, enhancing the illusion of legitimacy. Shortly into the call, an error message prompts users to download a Zoom software development kit (SDK) to resolve a purported issue. This deceptive prompt leads to the download of a malicious AppleScript file. For Windows users, the attack employs the ClickFix technique to execute a PowerShell command. Throughout this process, every interaction is monitored and transmitted to the attackers, enabling real-time tracking of the victim’s actions. Recently, the attackers have shifted from Zoom to Microsoft Teams, using similar tactics to deceive users into downloading a TeamsFx SDK, thereby initiating the infection chain.
The AppleScript is designed to install a counterfeit application disguised as Zoom or Microsoft Teams. It also downloads another AppleScript, DownTroy, which checks stored passwords associated with password management applications and installs additional malware with root privileges.
DownTroy is engineered to drop several payloads as part of eight distinct attack chains, while also bypassing Apple’s Transparency, Consent, and Control (TCC) framework:
– ZoomClutch or TeamsClutch: A Swift-based implant masquerading as Zoom or Teams, prompting users to enter their system password to complete the app update and exfiltrating the details to an external server.
– DownTroy v1: A Go-based dropper launching the AppleScript-based DownTroy malware, responsible for downloading additional scripts from the server until the machine is rebooted.
– CosmicDoor: Utilizes a C++ binary loader called GillyInjector to run a benign Mach-O app and inject a malicious payload at runtime. The injected payload is a backdoor written in Nim named CosmicDoor, capable of communicating with an external server to receive and execute commands. It also downloads a bash script stealer suite named SilentSiphon.
– RooTroy: Employs Nimcore loader to launch GillyInjector, which then injects a Go backdoor called RooTroy to collect device information, enumerate running processes, read payloads from specific files, and download additional malware, including RealTimeTroy.
– RealTimeTroy: Uses Nimcore loader to launch GillyInjector, which then injects a Go backdoor called RealTimeTroy that communicates with an external server using the WSS protocol to read/write files, get directory and process information, upload/download files, terminate specified processes, and gather device information.
– SneakMain: Utilizes Nimcore loader to launch a Nim payload called SneakMain to receive and execute additional AppleScript commands from an external server.
– DownTroy v2: Employs a dropper named CoreKitAgent to launch Nimcore loader, which then launches AppleScript-based DownTroy (aka NimDoor) to download an additional malicious script from an external server.
– SysPhon: Uses a lightweight version of RustBucket named SysPhon and SUGARLOADER, a known loader previously used to deliver the KANDYKORN malware. SysPhon, also employed in the Hidden Risk campaign, is a downloader written in C++ that can conduct reconnaissance and fetch a binary payload from an external server.
SilentSiphon is equipped to harvest data from Apple Notes, Telegram, web browser extensions, as well as credentials from browsers and password managers, and secrets stored in configuration files related to a long list of services: GitHub, GitLab, Bitbucket, npm, Yarn, Python pip, RubyGems, Rust cargo, NET Nuget, AWS, Google Cloud, Microsoft Azure, Oracle Cloud, Akamai Linode, DigitalOcean API, Vercel, Cloudflare, Netlify, Stripe, Firebase, Twilio, CircleCI, Pulumi, HashiCorp, SSH, FTP, Sui Blockchain, Solana, NEAR Blockchain, Aptos Blockchain, Algorand, Docker, Kubernetes, and OpenAI.
While the video feeds for fake calls were recorded via the fabricated Zoom phishing pages the actor created, the profile images of meeting participants appear to have been sourced from job platforms or social media platforms such as LinkedIn, Crunchbase, or X, Kaspersky said. Interestingly, some of these images were enhanced with [OpenAI] GPT-4o.
GhostHire Campaign:
The GhostHire campaign targets Web3 developers by initiating contact through Telegram. Attackers lure victims into downloading and executing a booby-trapped GitHub repository under the guise of a skill assessment, urging completion within 30 minutes to increase the likelihood of infection. Once installed, the project downloads a malicious payload onto the developer’s system, tailored to the operating system in use.
Kaspersky has been monitoring these campaigns since April 2025, though evidence suggests that GhostCall has been active since mid-2023, likely following the RustBucket campaign. RustBucket marked BlueNoroff’s significant shift towards targeting macOS systems, subsequently leading to the deployment of malware families like KANDYKORN, ObjCShellz, and TodoSwift.
Implications and Recommendations:
The emergence of GhostCall and GhostHire underscores the evolving tactics of state-sponsored cyber actors targeting the rapidly growing Web3 and blockchain sectors. These campaigns highlight the importance of vigilance and robust cybersecurity measures, especially for individuals and organizations operating within these industries.
To mitigate the risks associated with such sophisticated attacks, consider the following recommendations:
1. Verify Communication Channels: Be cautious of unsolicited messages on platforms like Telegram, especially those involving investment opportunities or skill assessments.
2. Scrutinize Download Sources: Only download software and updates from official and reputable sources. Avoid executing files from unverified links or repositories.
3. Implement Multi-Factor Authentication (MFA): Enhance account security by enabling MFA, reducing the risk of unauthorized access.
4. Regular Software Updates: Keep operating systems and applications up to date to patch known vulnerabilities.
5. Educate and Train Staff: Conduct regular cybersecurity awareness training to help employees recognize phishing attempts and other social engineering tactics.
6. Deploy Advanced Security Solutions: Utilize comprehensive security software capable of detecting and mitigating advanced threats.
By adopting these practices, individuals and organizations can better defend against the sophisticated and evolving threats posed by groups like BlueNoroff.
