Kaspersky Reveals New Cyber Campaign Targeting Crypto Industry In Windows And MacOS

GhostCall campaign workflow (photo: Kaspersky)

JAKARTA - Kaspersky's Global Research and Analysis Team (GReAT) revealed the activities of APT BlueNoroff, a subdivision of the Lazarus group, most recently through two highly targeted malicious campaigns, namely 'GhostCall' and 'GhostHire'.

The recently described GhostCall and GhostHire use new infiltration techniques and special malware to jeopardize blockchain developers and executives.

This attack affects macOS and Windows systems as the main targets and is managed through an integrated command and control infrastructure.

The GhostCall campaign focuses on macOS devices, where attackers contact via Telegram, disguise themselves as venture capitalists, and promote investment or partnership opportunities.

The victims were invited to fake investment meetings on phishing sites that mimic Zoom or Microsoft Teams. During the meeting, they were asked to "renew" their clients to fix audio problems. This action downloads malicious scripts and spreads malware infections to devices.

"The data collected in this process is then used not only to fight the first victim, but also to be exploited to allow further attacks," said Sojun Ryu, security researcher at Kaspersky GREAT.

While in the GhostHire campaign, APT targets blockchain developers to disguise themselves as recruiters. Victims are tricked into downloading and running the GitHub repository containing malware.

After the initial contact, the victim was added to the Telegram bot that sent the ZIP file or GitHub link, along with a short deadline to complete the task. After being executed, the malware installed itself on the victim's computer, which has been adjusted to its operating system.

The ongoing operation has targeted Web3 organizations and crypto assets across India, Turkey, Australia, and other countries in Europe and Asia since at least April 2025.

In fact, the use of a generating AI has allowed BlueNoroff to accelerate malware development and improve its attack technique.

"We hope our research will contribute to preventing further damage," added Omar Amin, senior security researcher at Kaspersky GReAT.