New Malware Chains Linked to North Korean Actors

Cybersecurity researchers have uncovered two new malware campaigns, named GhostCall and GhostHire, targeting the Web3 and blockchain sectors. The activity is attributed to BlueNoroff, a known sub-cluster of the North Korea-linked Lazarus Group. According to a report from Kaspersky, these twin campaigns are part of a much larger, ongoing operation called SnatchCrypto, which has been active since at least 2017. BlueNoroff is a prolific threat actor also tracked under several aliases, including APT38, CageyChameleon, CryptoCore, Genie Spider, Nickel Gladstone, Sapphire Sleet, and Stardust Chollima.

Global Reach and Specific Targets

The two campaigns have distinct geographical and technical targets. The GhostCall campaign has demonstrated a wide reach, with victims identified across numerous countries including Japan, Italy, France, Singapore, Turkey, Spain, Sweden, India, and Hong Kong. This campaign heavily targets the macOS devices of executives working at technology companies and in the venture capital industry. The attackers employ social engineering tactics, directly approaching potential victims on platforms like Telegram to initiate the attack chain. In contrast, the GhostHire campaign has been observed focusing its efforts primarily on hunting grounds in Japan and Australia. The exposure of these malware chains highlights the persistent threat posed by BlueNoroff to organizations involved in the cryptocurrency and financial technology spaces.