Threat actors linked to North Korea have been observed targeting the Web3 and blockchain sectors through twin campaigns known as GhostCall and GhostHire.
According to Kaspersky, these campaigns are part of a broader operation called SnatchCrypto that has been active since at least 2017. This activity is attributed to a sub-cluster of the Lazarus Group known as BlueNoroff, also referred to as APT38, CageyChameleon, CryptoCore, Genie Spider, Nickel Gladstone, Sapphire Sleet (formerly Copernicium), and Stardust Chollima.
The victims of the GhostCall campaign are spread across multiple infected macOS hosts in countries including Japan, Italy, France, Singapore, Turkey, Spain, Sweden, India, and Hong Kong. In contrast, the GhostHire campaign primarily targets Japan and Australia.
Researchers at Kaspersky, Sojun Ryu and Omar Amin, explained that “GhostCall heavily targets the macOS devices of executives at tech companies and in the venture capital sector by directly approaching targets via platforms like Telegram and inviting potential victims to investment-related meetings linked to Zoom-like phishing websites.”
“The victim joins a fake call with genuine recordings of this threat’s other actual victims rather than deepfakes. The call proceeds smoothly and then encourages the user to update the Zoom client with a script. Eventually, the script downloads ZIP files that result in infection chains deployed on an infected host.”
On the other hand, GhostHire involves approaching prospective targets, such as Web3 developers, on Telegram and luring them into downloading and executing a booby-trapped GitHub repository under the pretext of completing a skill assessment within 30 minutes of sharing the link to ensure a higher success rate of infection.
Kaspersky has been tracking these two campaigns since April 2025, although it is assessed that GhostCall has been active since mid-2023, likely following the RustBucket campaign.
RustBucket marked a significant pivot by the adversarial collective towards targeting macOS systems, after which other campaigns have leveraged malware families like KANDYKORN, ObjCShellz, and TodoSwift.
It’s worth noting that various aspects of this activity have been extensively documented by multiple security vendors over the past year, including Microsoft, Huntress, Field Effect, Huntabil.IT, Validin, and SentinelOne.
The GhostCall Campaign
Targets who land on the fake Zoom pages as part of the GhostCall campaign are initially served a bogus page that gives the illusion of a live call, only to display an error message three to five seconds later, urging them to download a Zoom software development kit (SDK) to address a purported issue with continuing the call.
Should the victims fall for the trap and attempt to update the SDK by clicking on the “Update Now” option, it leads to the download of a malicious AppleScript file onto their system. In the event the victim is using a Windows machine, the attack leverages the ClickFix technique to copy and run a PowerShell command.
 Source Link |
