Kaspersky SAS 2025 - BlueNoroff APT group GhostCall and Ghosthire cyberattack campaigns leveraged AI-driven tools to target victims 1

Kaspersky SAS 2025 – BlueNoroff APT group GhostCall and Ghosthire cyberattack campaigns leveraged AI-driven tools to target victims

By Hitech Century | October 29, 2025 | Comments Off on Kaspersky SAS 2025 – BlueNoroff APT group GhostCall and Ghosthire cyberattack campaigns leveraged AI-driven tools to target victims

Alongside deep intelligence about the connections between the Dante spyware and the Memento Labs AP group, experts at Kaspersky SAS 2025 also shared indepth detail about recent activity attributed to the BlueNoroff APT group who have leveraged AI to target cryptocurrency organisations and blockchain developers and executives via two sweeping cyberattack campaigns designated as GhostCall and GhostHire.

For the uninitiated, BlueNoroff is a subdivision of the Lazarus group with BlueNoroff employing sophisticated new attacks and malware in the aforementioned GhostCall and Ghosthire campaigns that are able to engage and compromise both macOS and Windows systems and which can be managed through a unified command-and-control infrastructure.

According to security analysts, the GhostCall and GhostHire campaigns are specifically targeted at Web3 and cryptocurrency organisations across Europe and Asia from April 2025 onwards including attacks in India, Turkey and Australia. But what are GhostCall and GhostHire exactly?

Kaspersky SAS 2025 – BlueNoroff and GhostCall

For GhostCall, the attackers placed emphasis on macOS devices, leveraging social engineering to deliver the payload. The attack that begins with a targeted Telegram message to victims that mimic venture capitalists or other important personalities to promote investment or partnership opportunities.

As an added measure of sophistication, GhostCall also used compromised accounts of real entrepreneurs and startup founders, adding a veneer of plausibility to attacks.

Victims are then invited to fake investment meetings on phishing sites that mimic Zoom or Microsoft Teams functionality where they are prompted to ‘update’ their client to fix an audio issue which actually downloads and deploys a malware payload on the device.

BlueNoroff GhostCall campaign attack flow (W)

Once access has been gained to a targeted device, attackers then deployed seven multi-stage execution stages, four of which have not been identified before to distribute customised payloads to the target.

Among the detected malware payloads seen on targeted devices are browser credential stealers, Telegram credential stealers and crypto stealers, any of which can prove dangerous but taken together can prove to be a nightmare for any organisation or individual who aren’t on their toes.

sojun ryu Senior Security Research at Kaspersky GReAT

Sojun Ryu, Senior Security Research at Kaspersky GReAT

“This campaign relied on deliberate and carefully planned deception. Attackers replayed videos of previous victims during staged meetings to make the interaction appear like a real call and manipulate new targets. The data collected in this process is then used not only against the initial victim but also exploited to enable subsequent and supply-chain attacks, leveraging established trust relationships to compromise a broader range of organizations and users,” comments Sojun Ryu, senior security researcher at Kaspersky GReAT. 

Kaspersky SAS 2025 – BlueNoroff and GhostHire

In the case of BlueNoroff’s targeted GhostHire campaigns, the APT relies again on social engineering to deploy malicious payloads. By posing as recruiters to blockchain developers and engineers, the attackers persuade, cajole and otherwise get victims to download an run a GitHub repository that looks like a skill test but which actually contains malware.

BlueNoroff GhostHire campaign attack flow (W)

According to Kaspersky GReAT security analysts, the GhostHire campaign shares a number of tools and infrastructure with the GhostCall campaign but rather than leveraging video calls, it tailors its social engineering attack to its target audience by mimicking a recruitment drive. Once the APT makes contact with a target, they are added to a Telegram bot that delivers a ZIP file or GitHub link with a fake skill based test and a short deadline. 

Once executed, the malware installs itself to begin its work. What makes it particularly dangerous is that BlueNoroff used generative AI to speed up malware development and to also refine its attack techniques while introducing new programming languages and new features that complicate detection and analysis. With gnerative AI, the threat actors are also able to scale up the complexity and intensity of attacks which can prove to be a long-term nightmare.

Omar Amin Senior Security Research at Kaspersky GReAT

Omar Amin, Senior Security Research at Kaspersky GReAT

“Since its previous campaigns, the threat actor’s targeting strategy has evolved beyond simple cryptocurrency and browser credential theft. The use of generative AI has significantly accelerated this process, enabling easier malware development with reduced operational overhead. This AI-driven approach helps to fill the gaps in available information, enabling more focused targeting. By combining compromised data with AI’s analytical capabilities, the scope of these attacks has expanded. We hope our research will contribute to preventing further harm,” comments Omar Amin, senior security researcher at Kaspersky GReAT.

Stay tuned for more updates from Kaspersky SAS 2025! In the meantime, stay tuned about the latest cybersecurity details at the Kaspersky Threat Intelligence Portal here.

Posted in News and tagged , , , , ,