Skip to main content
Threat Radar animated logo
DashboardThreatsMapFeedsAPILifetime Access
reconnecting
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Crypto wasted: BlueNoroff’s ghost mirage of funding and jobs

0
Medium
Malwarezoomclutchrootroysysphonsilentsiphonsneakmaincosmicdoorcryptocurrencyteamsclutchdowntroyrealtimetroyt1053.005t1218.011t1056.001t1074.001t1204.002t1559.001t1140t1555t1055t1036.004t1552.001t1059.001t1547.001t1059.004t1027t1059.006t1059.005t1105t1204.001
Published: Tue Oct 28 2025 (10/28/2025, 03:41:57 UTC)
Source: AlienVault OTX General

Description

BlueNoroff is a financially motivated threat actor conducting sophisticated campaigns named GhostCall and GhostHire targeting macOS, Windows, and Linux systems. GhostCall focuses on tech executives and venture capitalists via fake Zoom-like meetings, while GhostHire targets Web3 developers through fraudulent recruitment processes. These campaigns deploy multi-stage malware including ZoomClutch, DownTroy, CosmicDoor, RooTroy, and SilentSiphon, leveraging social engineering and AI-generated images. The attacks aim beyond cryptocurrency theft, focusing on comprehensive data acquisition to enable supply chain attacks and exploit trust relationships. The threat involves complex malware chains and advanced persistence techniques, affecting high-value targets in the tech and crypto sectors. Exploitation requires user interaction but no prior authentication, increasing risk. The campaigns pose a medium severity threat with significant potential impact on confidentiality and integrity. European organizations involved in technology, venture capital, and blockchain development are particularly at risk, especially in countries with strong tech ecosystems. Mitigation requires targeted user awareness, enhanced endpoint detection, and strict verification of recruitment and meeting invitations.

AI-Powered Analysis

AILast updated: 10/28/2025, 09:53:50 UTC

Technical Analysis

BlueNoroff, a financially motivated advanced persistent threat (APT) group, has launched two sophisticated campaigns named GhostCall and GhostHire. GhostCall targets macOS devices of technology executives and venture capitalists by impersonating Zoom-like meeting invitations, exploiting social engineering and AI-enhanced images to lure victims into executing multi-stage malware payloads. GhostHire targets Web3 developers through fake recruitment processes, similarly deploying complex malware chains. The malware families involved include ZoomClutch, DownTroy, CosmicDoor, RooTroy, and SilentSiphon, which operate across Windows, macOS, and Linux platforms. These malware strains utilize advanced techniques such as process injection, persistence via scheduled tasks (T1053.005), credential dumping (T1003), and obfuscation (T1027). The campaigns leverage trusted communication channels and social engineering to bypass traditional security controls. BlueNoroff’s focus has expanded beyond cryptocurrency theft to comprehensive data acquisition, enabling supply chain attacks and exploitation of established trust relationships for broader operational impact. The attacks require user interaction but no prior authentication, increasing the attack surface. No known public exploits exist yet, but the multi-platform nature and targeting of high-value individuals and developers make this a significant threat vector.

Potential Impact

For European organizations, the impact of BlueNoroff’s campaigns could be substantial, particularly for those involved in technology development, venture capital, and blockchain/Web3 sectors. Compromise of executives and developers could lead to theft of sensitive intellectual property, financial assets, and strategic business information. The multi-stage malware deployment and data exfiltration capabilities could facilitate supply chain compromises, affecting downstream partners and customers. Loss of confidentiality and integrity of critical data could damage reputations and result in financial losses. The use of trusted communication channels and social engineering increases the likelihood of successful breaches, potentially disrupting business operations and undermining trust in digital collaboration tools. Given the cross-platform nature, organizations with heterogeneous environments are at greater risk. The threat could also impact regulatory compliance, especially under GDPR, if personal or sensitive data is exfiltrated.

Mitigation Recommendations

European organizations should implement targeted user awareness training focusing on recognizing sophisticated social engineering tactics, especially fake meeting invitations and recruitment communications. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying multi-stage malware behaviors and process injection techniques. Enforce strict verification protocols for external meeting invites and recruitment contacts, including out-of-band confirmation methods. Utilize application allowlisting and restrict execution of unknown binaries, particularly on macOS and Linux systems. Monitor for indicators of compromise related to the known malware families (ZoomClutch, DownTroy, CosmicDoor, RooTroy, SilentSiphon). Regularly audit and harden scheduled tasks and persistence mechanisms to detect unauthorized modifications. Employ network segmentation to limit lateral movement and data exfiltration. Collaborate with threat intelligence providers to stay updated on emerging indicators and tactics. Finally, conduct thorough vetting of supply chain partners and implement zero-trust principles to reduce the impact of potential supply chain attacks.

Affected Countries

GermanyGermany
United KingdomUnited Kingdom
FranceFrance
NetherlandsNetherlands
SwedenSweden
EstoniaEstonia
FinlandFinland
IrelandIreland
SwitzerlandSwitzerland
Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842"]
Adversary
BlueNoroff
Pulse Id
69003b85c217870cc5794cc6
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hash00dd47af3db45548d2722fe8a4489508
hash01d3ed1c228f09d8e56bfbc5f5622a6c
hash0af11f610da1f691e43173d44643283f
hash0ca37675d75af0e7def0025cd564d6c5
hash10cd1ef394bc2a2d8d8f2558b73ac7b8
hash1243968876262c3ad4250e1371447b23
hash1653d75d579872fadec1f22cf7fee3c0
hash17baae144d383e4dc32f1bf69700e587
hash19a7e16332a6860b65e6944f1f3c5001
hash1ee10fa01587cec51f455ceec779a160
hash261a409946b6b4d9ce706242a76134e3
hash2b499eb3865a7ef17264d15252b7f73e
hash2c42253ebf9a743814b9b16a89522bef
hash31b88dd319af8e4b8a96fc9732ebc708
hash358c2969041c8be74ce478edb2ffcd19
hash389447013870120775556bb4519dba97
hash38c8d80dd32d00e9c9440a498f7dd739
hash3bbe4dfe3134c8a7928d10c948e20bee
hash50f341b24cb75f37d042d1e5f9e3e5aa
hash529fe6eff1cf452680976087e2250c02
hash5ad40a5fd18a1b57b69c44bc2963dc6b
hash5cb4f0084f3c25e640952753ed5b25d0
hash60bfe4f378e9f5a84183ac505a032228
hash6348b49f3499d760797247b94385fda3
hash6422795a6df10c45c1006f92d686ee7e
hash6aa93664b4852cb5bad84ba1a187f645
hash7168ce5c6e5545a5b389db09c90038da
hash73d26eb56e5a3426884733c104c3f625
hash7581854ff6c890684823f3aed03c210f
hash76ace3a6892c25512b17ed42ac2ebd05
hash7e50c3f301dd045eb189ba1644ded155
hash7f94ed2d5f566c12de5ebe4b5e3d8aa3
hash8006efb8dd703073197e5a27682b35bf
hash8f8942cd14f646f59729f83cbd4c357b
hash931cec3c80c78d233e3602a042a2e71b
hash9551b4af789b2db563f9452eaf46b6aa
hash963f473f1734d8b3fbb8c9a227c06d07
hasha070b77c5028d7a5d2895f1c9d35016f
hasha0eb7e480752d494709c63aa35ccf36c
hasha26f2b97ca4e2b4b5d58933900f02131
hasha6ce961f487b4cbdfe68d0a249647c48
hashab1e8693931f8c694247d96cf5a85197
hashb2e9a6412fd7c068a5d7c38d0afd946f
hashb567bfdaac131a2d8a23ad8fd450a31d
hashc42c7a2ea1c2f00dddb0cc4c8bfb5bcf
hashc446682f33641cff21083ac2ce477dbe
hashc6f0c8d41b9ad4f079161548d2435d80
hashd63805e89053716b6ab93ce6decf8450
hashd8529855fab4b4aa6c2b34449cb3b9fb
hashde93e85199240de761a8ba0a56f0088d
hashe33f942cf1479ca8530a916868bad954
hashe8680d17fba6425e4a9bb552fb8db2b1
hashe9fdd703e60b31eb803b1b59985cabec
hasheda0525c078f5a216a977bc64e86160a
hashf1bad0efbd3bd5a4202fe740756f977a
hashf1d2af27b13cd3424556b18dfd3cf83f
hashf8bb2528bf35f8c11fbc4369e68c4038
hash023a15ac687e2d2e187d03e9976a89ef5f6c1617
hash0602a5b8f089f957eeda51f81ac0f9ad4e336b87
hash06566eabf54caafe36ebe94430d392b9cf3426ba
hash1793c038d3ec1986a767b15379a8b218c64c7df2
hash1e76f497051829fa804e72b9d14f44da5a531df8
hash5b16e9d6e92be2124ba496bf82d38fb35681c7ad
hash79f37e0b728de2c5a4bfe8fcf292941d54e121b8
hash7e07765bf8ee2d0b2233039623016d6dfb610a6d
hash945fcd3e08854a081c04c06eeb95ad6e0d9cdc19
hasha4933676e28dd47d685edeb8dd5be4533cd0f77d
hashc91d54b555f14002a07667dc094eea44262a92e1
hashde3f83af6897a124d1e85a65818a80570b33c47c
hashdf9894ceaf81945a771b4c230fc730b5b72c5ea2
hash0d1e3a9e6f3211b7e3072d736e9a2e6be363fc7c100b90bf7e1e9bee121e30df
hash14e9bb6df4906691fc7754cf7906c3470a54475c663bd2514446afad41fa1527
hash3315e5a4590e430550a4d85d0caf5f521d421a2966b23416fcfc275a5fd2629a
hash3dd226d0b700f33974f409142defb62a8cd172ae5f2eb9beb7f5750eb1702e2a
hash41660a23e5db77597994e17f9f773d02976f767276faf3b5bac0510807a9a36f
hash4451ee8bc53ea7c148d8348bc7b82aca9977bdd31c0156dfe25c4a879a1d2190
hash5b77f83ecefa0e32ba922f61c9efff7f755ba51a010db844ca7e8ad3db28650a
hash5f4063e3a5583e62ddec2f84ca88eb97fbcfbee31d9269742ab438f441f0cd58
hash65b98ddc821212d13e0e64265353725f0adf6bcf3f4129c18d9d6327b8a69e11
hash71b743c529f0b27735f7774a0903cb908edc93423b60fe9be49a3729982d0e8d
hash74cbec210ba601caeb063d44e510fc012075b65a0482d3fa2d2d08837649356a
hash7ffc83877389ebb86d201749d73b5e3706490070015522805696c9b94fa95ccb
hasha6c1a7ce43b029a1ef4ae69b26f745440ecce8368c89f11ac999d4ed04a31572
hashad01beb19f5b8c7155ee5415781761d4c7d85a31bb90b618c3f5d9f737f2d320
hashb3cc15c1033de79024f9cf3cd6a6a7a9b7e54a1a57d3156036f5c05f541694b7
hashb494a0ae421afe170f6cb9de2c1193a78fbe16f627f85139676afc5d9bfe93a2
hashbcef50a375c8b4edbe7c80e220c1bb52f572ce379768fec3527d31c1d51138fc
hashbd2aa5805b76f272b43a595b3d73e29d0fc4647e15e87950b8f904ea26dcf053
hashc4db903322d17c8cbf1d1db55124854c0b070d6ece54162b6a4d06df24c572df
hashd5f41ea8dbf1ed159a0a4cfce563a917c1df32bb8ac8d321b4d3dcf67271dd25
hashebaaf177e746f9f0e16c906f1ffea95af771252b07136ca6a13995508fce34aa

Url

ValueDescriptionCopy
urlhttp://first.longlastfor.online:8080/client
urlhttp://firstfromsep.online/client
urlhttp://second.systemupdate.cloud/client
urlhttp://signsafe.xyz/update
urlhttp://web.commoncome.online:8080/client
urlhttp://web071zoom.us/fix/audio-fv/7217417464
urlhttp://web071zoom.us/fix/audio-tr/7217417464
urlhttp://web071zoom.us/fix/audio/4542828056
urlhttps://api.clearit.sbs/test
urlhttps://api.clearit.sbs/uploadfiles
urlhttps://api.flashstore.sbs/test
urlhttps://api.flashstore.sbs/uploadfiles
urlhttps://bots.autoupdate.online:8080/test
urlhttps://chkactive.online/update
urlhttps://cloud-server.store/update
urlhttps://dataupload.store/uploadfiles
urlhttps://download.datatabletemplate.xyz/account/register/id=8118555902061899&secret=QwLoOZSDakFh.
urlhttps://file-server.store/update
urlhttps://filedrive.online/uploadfiles
urlhttps://flashserve.store/update
urlhttps://metamask.awaitingfor.site/update
urlhttps://safeup.store/test
urlhttps://safeupload.online/uploadfiles
urlhttps://support.ms-live.us/301631/check
urlhttps://support.ms-live.us/register/22989524464UcX2b5w52
urlhttps://support.ms-live.us/update/02583235891M49FYUN57
urlhttps://urgent-update.cloud/uploadfiles
urlhttps://writeup.live/test

Domain

ValueDescriptionCopy
domainchkactive.online
domaincloud-server.store
domaindataupload.store
domainfile-server.store
domainfiledrive.online
domainfirstfromsep.online
domainflashserve.store
domainimage-support.xyz
domaininstant-update.online
domainreadysafe.xyz
domainreal-update.xyz
domainsafefor.xyz
domainsafeup.store
domainsafeupload.online
domainsecondshop.online
domainsecondshop.store
domainsignsafe.site
domainsignsafe.xyz
domainswissborg.blog
domainweb071zoom.us
domainwriteup.live
domainapi.clearit.sbs
domainapi.flashstore.sbs
domainbackdoor.python.agent.br
domainbots.autoupdate.online
domainbotsc.autoupdate.xyz
domaincheck.datatabletemplate.shop
domaindownload.datatabletemplate.xyz
domaindownload.face-online.world
domainfirst.longlastfor.online
domainfirst.system-update.xyz
domainmetamask.awaitingfor.site
domainpre.alwayswait.site
domainroot.chkstate.online
domainroot.security-update.xyz
domainsecond.awaitingfor.online
domainsecond.systemupdate.cloud
domainsupport.ms-live.us
domainsupport.video-meeting.online
domainsystem.updatecheck.store
domainweb.commoncome.online

Threat ID: 69008f8b68b9eefb8dadcb41

Added to database: 10/28/2025, 9:40:27 AM

Last enriched: 10/28/2025, 9:53:50 AM

Last updated: 10/30/2025, 2:45:08 PM

Views: 45

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Related Threats

ThreatFox IOCs for 2025-10-29

Medium
MalwareThu Oct 30 2025

Hackers Use NFC Relay Malware to Clone Android Tap-to-Pay Transactions

Medium
MalwareWed Oct 29 2025

Major October 2025 Cyber Attacks Your SOC Can't Ignore

Medium
CampaignWed Oct 29 2025

From Scripts to Systems: A Comprehensive Look at Tangerine Turkey Operations

Medium
CampaignWed Oct 29 2025

Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack

Medium
MalwareWed Oct 29 2025

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats