Executive Summary

Two sophisticated and tightly coordinated malware chains — GhostCall and GhostHire — are attributed to BlueNoroff, a sub-group of Lazarus Group. These campaigns are designed to infiltrate organizations in the cryptocurrency and Web3 ecosystem, targeting executives and developers through social engineering lures.

The twin campaigns combine fake meeting invites and recruitment test assignments with multi-stage loaders, credential stealers, and cross-platform backdoors. They span both macOS and Windows environments, leveraging staged infection chains to achieve credential access, persistence, and data exfiltration.

Key malware components include:

• Initial downloaders/loaders: DownTroy, RooTroy
• Backdoors: CosmicDoor, RealTimeTroy, SneakMain
• Credential stealers: ZoomClutch, TeamsClutch
• Data theft tooling: SilentSiphon

Infrastructure observed across campaigns includes attacker-controlled domains used for payload staging and data exfiltration: dataupload.store, filedrive.online, and system.updatecheck.store.

1. Campaign Overview

Attribution

Both GhostCall and GhostHire are attributed to BlueNoroff, a financially motivated threat actor under Lazarus Group. Their operations have been corroborated by analyses from Kaspersky, Securelist, and Broadcom/Symantec.

Campaign Focus

• GhostCall: Targets executives using meeting-themed lures (Zoom, Teams)
• GhostHire: Targets developers using recruitment and test assignment lures

Target Demographics

High-value individuals within cryptocurrency, blockchain, and Web3 firms are the primary targets. The attackers leverage professional communication platforms such as LinkedIn and Telegram to initiate contact.

2. Initial Access & Social Engineering

GhostCall: Fake Meeting Lures

Attackers impersonate investors or startup founders, inviting executives to a “follow-up meeting” over Zoom or Teams. Victims are prompted to install a malicious “update” client to proceed with the call. The fake installer executes the DownTroy downloader, initiating the infection chain.

GhostHire: Recruitment & Test Assignments

Developers receive fake job offers and test assignments hosted on GitHub or sent via messaging apps. These “test projects” contain malicious executables that launch RooTroy loaders and establish persistence.

Both campaigns rely on spearphishing attachments (T1566.001) and spearphishing via service (T1192). Execution depends on user execution (T1204) through deceptive meeting clients or assignment scripts.

‍

3. Malware Chain Architecture

‍

‍

‍

‍

4. MITRE ATT&CK Technique Mapping

‍

5. Platform-Specific Insights

macOS

• AppleScript and bundle-based loaders impersonate Zoom/Teams clients.
• Persistence via login items and LaunchAgents.
• Data theft modules target browser credentials and wallet extensions.

Windows

• Script-driven loaders establish persistence via Scheduled Tasks.
• Employs UAC bypass and process injection.
• Communication secured via HTTPS or WebSockets.

6. Infrastructure and Indicators of Compromise (IOCs)

Observed Domains:

• dataupload.store
• filedrive.online
• system.updatecheck.store

Associated Malware Families:

• DownTroy, RooTroy, CosmicDoor, RealTimeTroy, ZoomClutch, TeamsClutch, SilentSiphon, SneakMain

These domains act as payload delivery, update staging, and data exfiltration points.

7. Detection and Response Guidance

Network & Infrastructure

• Block or monitor communication with known C2 and staging domains.
• Inspect outbound HTTPS/WebSocket traffic to new or untrusted domains.
• Enforce DNS RPZ and egress filtering for update-related URLs.

Endpoint & EDR

• Alert on unsigned or AppleScript-based applications making external network calls.
• Monitor for PowerShell/curl/wget usage downloading executables or modifying system directories.
• Look for process injection patterns into legitimate binaries.
• Detect persistence via LaunchAgents (macOS) or Scheduled Tasks (Windows).

Human and Organizational Safeguards

• Train employees to verify meeting invites and recruiter messages.
• Validate out-of-band any investor/recruiter identity.
• Developers should sandbox or code-review external test assignments before running.
• Restrict AppleScript or unsigned app execution across endpoints.

8. Strategic Takeaways

1. Human-Centric Entry Points: GhostCall and GhostHire exploit human trust through professional outreach, not zero-day exploits.
2. Cross-Platform Reach: BlueNoroff’s toolkit equally targets macOS and Windows, leveraging native persistence features on both.
3. AI-Enhanced Deception: Generative AI assists in crafting polished fake profiles, code tests, and communication, improving lure realism.
4. Broader Objective: Credential and wallet theft expand into full developer and cloud compromise, affecting both individuals and organizations.
5. Defensive Imperative: Combine human training, endpoint visibility, and network-level monitoring to counter these campaigns.

9. Recommended Next Steps

• Immediately block the identified domains at DNS and network egress layers.
• Initiate EDR hunts for known malware components and persistence indicators.
• Conduct awareness sessions for executive and development teams.
• Implement sandboxing and restricted execution for external code and meeting apps.
• Develop a forensic triage SOP for suspected infections: collect volatile data, review login items, and analyze recent collaboration app logs.

References

• The Hacker News: "Researchers Expose GhostCall and GhostHire: BlueNoroff’s New Malware Chains"
• Kaspersky Securelist Analysis
• Broadcom/Symantec Threat Intelligence Report

‍