Threat actors associated with North Korea have been observed targeting the Web3 and blockchain sectors as part of two campaigns tracked as GhostCall and GhostHire.
According to Kaspersky, these campaigns are part of a broader operation called SnatchCrypto that has been ongoing since at least 2017. This activity is believed to be due to a subcluster of the Lazarus group called BlueNoroff, also known as APT38, CageyChameleon, CryptoCore, Genie Spider, Nickel Gladstone, Sapphire Sleet (formerly Copernicium), and Stardust Chollima.
Victims of the GhostCall campaign span multiple infected macOS hosts located in Japan, Italy, France, Singapore, Turkey, Spain, Sweden, India, and Hong Kong, although Japan and Australia have been identified as the main hunting grounds for the GhostHire campaign.
“GhostCall focuses on the macOS devices of executives in tech companies and venture capital sectors by approaching targets directly through platforms like Telegram and inviting potential victims to investment-related meetings linked to phishing websites like Zoom,” Kaspersky said.
“Victims participate in a fake call using authentic recordings of other real victims of the threat, rather than deepfakes. The call goes smoothly and prompts the user to update their Zoom client using a script. Eventually, the script downloads a ZIP file and the infection chain is deployed on infected hosts.”
GhostHire, on the other hand, approaches potential targets, such as Web3 developers, on Telegram and persuades them to download and run a compromised GitHub repository under the pretext of completing a skills assessment within 30 minutes of sharing the link to increase the infection success rate.
Once installed, this project is designed to download a malicious payload to the developer’s system based on the operating system being used. The Russian cybersecurity firm said it has been monitoring the two campaigns since April 2025, but GhostCall is assessed to have been active since mid-2023, likely after the RustBucket campaign.
RustBucket was a major turning point for hostile groups targeting macOS systems, and other campaigns have since leveraged malware families such as KANDYKORN, ObjCShellz, and TodoSwift.
It is worth noting that various aspects of this activity have been extensively documented over the past year by multiple security vendors, including Microsoft, Huntress, Field Effect, Huntabil.IT, Validin, and SentinelOne.
GhostCall Campaign
Targets who visit a fake Zoom page as part of a GhostCall campaign will initially see a fake page that appears to be a live call, but after 3-5 seconds they will see an error message prompting them to download the Zoom Software Development Kit (SDK) to address alleged issues with call continuation.
If the victim falls for the trap and attempts to update the SDK by clicking on the “Update Now” option, a malicious AppleScript file will be downloaded to the system. If the victim is using a Windows machine, the attack leverages the ClickFix technique to copy and execute PowerShell commands.
GhostCall campaign attack flow
At each stage, all interactions with the fake site are recorded and sent to the attacker to track the victim’s behavior. Just last month, the same attacker was observed moving from Zoom to Microsoft Teams, this time using the same tactic of tricking users into downloading the TeamsFx SDK and triggering an infection chain.
Regardless of the decoy used, AppleScript is designed to install fake applications disguised as Zoom or Microsoft Teams. It also downloads another AppleScript called DownTroy that checks saved passwords associated with password management applications and installs additional malware with root privileges.
DownTroy is designed to bypass Apple’s Transparency, Consent, and Control (TCC) framework while dropping multiple payloads as part of eight different attack chains.
ZoomClutch or TeamsClutch uses a Swift-based implant that pretends to be Zoom or Teams, and includes the ability to prompt users for their system password to complete app updates and leak details to an external server. DownTroy v1 uses a Go-based dropper to launch the AppleScript-based DownTroy malware, which downloads additional scripts from servers until the machine is rebooted. CosmicDoor uses a C++ binary loader called GillyInjector (also known as InjectWithDyld) to run a benign Mach-O app and inject a malicious payload into it at runtime. When run with the –d flag, GillyInjector enables destructive functionality and irrevocably erases all files in the current directory. The injected payload is a backdoor written in Nim named CosmicDoor that can communicate with external servers to receive and execute commands. The attackers are believed to have first developed a Go version of CosmicDoor for Windows before moving on to Rust, Python, and Nim variants. It also downloads a bash script stealer suite called SilentSiphon. RooTroy uses the Nimcore loader to launch GillyInjector, which then injects a Go backdoor called RooTroy (aka Root Troy V4) to collect device information, enumerate running processes, read payloads from specific files, and download and execute additional malware (including RealTimeTroy). Real Time Troy. It uses the Nimcore loader to launch GillyInjector to inject a Go backdoor called RealTimeTroy. This backdoor communicates with external servers using the WSS protocol to read/write files, obtain directory and process information, upload/download files, terminate specified processes, and obtain device information. SneakMain: Uses the Nimcore loader to launch a Nim payload called SneakMain to receive and execute additional AppleScript commands received from an external server. DownTroy v2. It uses a dropper named CoreKitAgent to launch the Nimcore loader, which then launches the AppleScript-based DownTroy (also known as NimDoor) to download additional malicious scripts from external servers. SysPhon uses a lightweight version of RustBucket named SysPhon and SUGARLOADER, a loader known to have previously distributed KANDYKORN malware. Also featured in the Hidden Risk campaign, SysPhon is a downloader written in C++ that can perform reconnaissance and retrieve binary payloads from external servers.
Overall behavior of the Zoom phishing site
SilentSiphon has the ability to collect data from Apple Notes, Telegram, web browser extensions, credentials from browsers and password managers, and secrets stored in configuration files related to a long list of services: GitHub, GitLab, Bitbucket, npm, Yarn, Python pip, RubyGems, Rust Cargo, NET Nuget, AWS, Google Cloud, Microsoft Azure, Oracle. Cloud, Akamai Linode, DigitalOcean API, Vercel, Cloudflare, Netlify, Stripe, Firebase, Twilio, CircleCI, Pulumi, HashiCorp, SSH, FTP, Sui blockchain, Solana, NEAR blockchain, Aptos blockchain, Algorand, Docker, Kubernetes, OpenAI.
“The video feed of the fake call was recorded via a fabricated Zoom phishing page created by the perpetrators, while the meeting participants’ profile images appear to have been obtained from recruitment and social media platforms such as LinkedIn, Crunchbase, and X,” Kaspersky said. “Interestingly, some of these images [OpenAI] GPT-4o. ”
GhostHire Campaign
The Russian cybersecurity company GhostHire campaign also dates back to mid-2023, it added, and the attackers initiated direct contact with targets on Telegram, sharing job details and a link to a LinkedIn profile masquerading as a recruiter from a US-based financial company, in an attempt to lend a semblance of legitimacy to the conversation.
“Tracking the initial communication, the attacker adds the target to the Telegram bot’s user list, which displays the logo of the spoofed company and falsely claims to streamline the technical evaluation of candidates,” Kaspersky explained.
DownTroy delivery process in the GhostHire campaign
“The bot then sends the victim an archive file (ZIP) containing the coding assessment project with a strict deadline (often around 30 minutes), pressuring the target to complete the task quickly. This urgency increases the likelihood that the target will execute malicious content, leading to an initial system compromise.”
Although the project itself is benign, it includes a malicious dependency in the form of a malicious Go module (e.g. uniroute) hosted on GitHub that triggers an infection sequence when the project is run. This involves first identifying the victim’s computer’s operating system and delivering the appropriate next-stage payload (i.e., DownTroy) programmed in PowerShell (Windows), bash script (Linux), or AppleScript (macOS).
The Windows-targeted attack also introduced Go versions of RooTroy, RealTimeTroy, CosmicDoor, and a Rust-based loader named Bof, which is used to decode and launch an encrypted shellcode payload stored in the “C:\Windows\system32\” folder, via DownTroy.
The entire Windows infection chain in the GhostHire campaign
“Our investigation shows this threat actor’s continued efforts to organize through an integrated command and control infrastructure and develop malware targeting both Windows and macOS systems,” Kaspersky said. “The use of generative AI has significantly accelerated this process, allowing for more efficient malware development while reducing operational overhead.”
“Threat attacker targeting strategies have evolved beyond simple cryptocurrency or browser credential theft. Once they gain access, they engage in comprehensive data collection across a variety of assets, including infrastructure, collaboration tools, note-taking applications, development environments, and communication platforms (Messenger).”
Source link
