North Korean threat actor BlueNoroff (also known as Sapphire Sleet, APT38, Alluring Pisces, Stardust Chollima, and TA444) has launched two sophisticated campaigns—GhostCall and GhostHire—targeting cryptocurrency executives, blockchain developers, and venture capital professionals, according to research published by Kaspersky.
GhostCall: Fake Investment Meetings with Real Victim Recordings
In the GhostCall campaign, attackers impersonate venture capitalists on Telegram, approaching executives at tech companies with investment or partnership opportunities. Victims are invited to join what appears to be a legitimate Zoom meeting, but the calls use real video recordings stolen from previous victims—not deepfakes.
During these fake calls, victims see what they believe is a live multi-participant meeting. After 3-5 seconds, an error message prompts them to download a “Zoom SDK Update” that delivers malicious AppleScript on macOS or uses the ClickFix technique on Windows to compromise the system.
“Our research revealed that these videos were, in fact, real recordings secretly taken from other victims who had been targeted by the same actor using the same method.”
GhostHire: Malicious GitHub Repositories Disguised as Job Assessments
The GhostHire campaign targets Web3 developers through fake job recruitment. Attackers posing as recruiters conduct screening calls, then add victims to a Telegram bot that delivers either a ZIP file or GitHub repository link with a 30-minute time limit to complete a supposed coding assessment.
The pressure tactic encourages victims to quickly execute the malicious project without proper vetting. Once run, the project downloads OS-specific payloads tailored to the victim’s system.
AI-Enhanced Attack Operations
BlueNoroff is leveraging AI to enhance its operations:
- ChatGPT-generated images with C2PA metadata detected in victim profile photos
- AI-generated code comments in the stealer modules
- Enhanced social engineering scripts and fake profiles
Comprehensive Credential and Secrets Theft
The campaigns deploy a modular stealer suite that harvests:
- Cryptocurrency wallet data
- macOS Keychain credentials
- Browser-stored passwords and sessions
- OpenAI API keys
- Cloud platform and DevOps credentials
- Telegram data and collaboration app secrets
Global Victim Distribution
GhostCall victims have been identified across Japan, Italy, France, Singapore, Turkey, Spain, Sweden, India, and Hong Kong. GhostHire primarily targets victims in Japan and Australia.
Recommendations
Organizations and individuals in the Web3/cryptocurrency space should:
- Verify investment meeting invitations through established channels
- Never execute code from untrusted GitHub repositories
- Be suspicious of artificial time pressure during recruitment processes
- Verify identities through video calls using your own meeting links
- Implement endpoint protection that detects malicious AppleScripts
