Kaspersky: BlueNoroff targets executives on Windows and macOS using AI-driven tools
At the Security Analyst Summit (SAS) in Thailand, Kaspersky’s Global Research and Analysis Team (GReAT) revealed the latest activity of the BlueNoroff Advanced Persistent Threat (APT) group through two newly identified, highly targeted operations: “GhostCall” and “GhostHire.”
According to Kaspersky’s findings, the ongoing campaigns have been active since at least April 2025, primarily targeting Web3 and cryptocurrency organizations across India, Türkiye, Australia, and several countries in Europe and Asia.
A known subdivision of the Lazarus Group, BlueNoroff has expanded its infamous “SnatchCrypto” operation — a financially motivated cyber-espionage effort aimed at stealing digital assets. The newly exposed GhostCall and GhostHire campaigns employ sophisticated infiltration methods and custom malware families designed to compromise both macOS and Windows environments through a shared command-and-control infrastructure.
GhostCall: Targeting macOS Users Through Fake Investment Calls
The GhostCall campaign primarily targets macOS users using advanced social engineering tactics. Attackers initiate contact via Telegram, posing as venture capitalists or startup founders — often leveraging compromised legitimate accounts to build credibility.
Victims are invited to attend fake investment meetings through phishing websites that mimic Zoom or Microsoft Teams interfaces. During these sessions, they are asked to install a supposed “audio fix,” which instead downloads a malicious script to infect their devices.
> “This campaign relied on deliberate and carefully planned deception,” said Sojun Ryu, Security Researcher at Kaspersky GReAT. “Attackers even replayed videos of previous victims during fake calls to make the interaction appear authentic. The data collected is later weaponized in supply-chain attacks, exploiting existing trust relationships to reach new targets.”
Kaspersky reports that GhostCall used seven multi-stage execution chains, including four previously undocumented ones, to distribute various payloads such as crypto stealers, browser and Telegram credential stealers, and other data-exfiltration tools.
GhostHire: Posing as Recruiters to Target Blockchain Developers
Meanwhile, the GhostHire campaign targets blockchain developers and engineers through fake recruitment schemes. The attackers pose as recruiters and trick victims into downloading malware disguised as GitHub repositories containing “technical assessments.”
GhostHire shares infrastructure and tooling with GhostCall but focuses on developer-centric infiltration rather than fake video meetings. Victims receive a ZIP file or GitHub link via Telegram bots, accompanied by urgent task deadlines. Once executed, the malware automatically installs itself, adapting to the victim’s operating system.
AI-Powered Attacks Mark a New Phase in BlueNoroff’s Evolution
Kaspersky’s analysis highlights that generative AI has become a significant enabler in BlueNoroff’s recent operations, accelerating malware development, code obfuscation, and targeting precision.
> “The threat actor’s focus has evolved beyond basic credential theft,” said Omar Amin, Senior Security Researcher at Kaspersky GReAT. “By leveraging generative AI, BlueNoroff can build and adapt malware faster, scale its operations more efficiently, and refine its targeting using AI-driven data analysis. This marks a dangerous new phase in financially motivated APT activity.”
Security Recommendations
To mitigate risks from campaigns such as GhostCall and GhostHire, Kaspersky recommends organizations take the following actions:
Verify all unsolicited contacts — especially investment or job offers received via Telegram, LinkedIn, or similar platforms.
Confirm identities through alternative channels before downloading files or attending virtual meetings.
Use Kaspersky Next solutions for real-time protection, investigation, and response (EDR/XDR), tailored for organizations of all sizes.
Adopt Kaspersky’s Managed Security Services, including Compromise Assessment, MDR, and Incident Response, to ensure continuous protection.
Equip InfoSec teams with the latest Kaspersky Threat Intelligence for deeper visibility and proactive defense against emerging threats.