{"id":433743,"date":"2025-10-28T16:22:42","date_gmt":"2025-10-28T13:22:42","guid":{"rendered":"https:\/\/menatech.net\/en\/?p=433743"},"modified":"2025-11-11T17:02:25","modified_gmt":"2025-11-11T14:02:25","slug":"hacker-group-targeting-crypto-executives-with-ai-driven-tools-warns-kaspersky","status":"publish","type":"post","link":"https:\/\/menatech.net\/en\/hacker-group-targeting-crypto-executives-with-ai-driven-tools-warns-kaspersky\/","title":{"rendered":"Hacker group targeting crypto executives with AI-driven tools, warns Kaspersky"},"content":{"rendered":"

Kaspersky\u2019s Global Research and Analysis Team (GReAT) revealed the latest BlueNoroff APT activity through two highly targeted malicious campaigns, \u2018GhostCall\u2019 and \u2018GhostHire\u2019. The ongoing operations have targeted Web3 and cryptocurrency organizations across India, Turkey, Australia, and other countries in Europe and Asia since at least April 2025.\u00a0The announcement was made at the Security Analyst Summit<\/a> in Thailand, of which MENA TECH is the exclusive Middle East media partner.<\/p>\n

BlueNoroff, a branch of the notorious Lazarus group, continues to expand its signature \u2018SnatchCrypto\u2019 campaign,\u00a0a financially\u00a0driven operation targeting the global crypto industry. The newly revealed GhostCall and GhostHire campaigns use new infiltration methods and customized malware to compromise blockchain developers and executives. These attacks mainly target macOS and Windows systems and are managed through a centralized command-and-control infrastructure.<\/p>\n

The GhostCall campaign targets macOS devices, beginning with a highly sophisticated, personalized social engineering attack. The attackers contact victims through Telegram, impersonating venture capitalists and sometimes using compromised accounts of real entrepreneurs and startup founders to promote investment or partnership opportunities. The victims are invited to fake investment meetings on phishing sites that mimic Zoom or Microsoft Teams, during which they are prompted to \u201cupdate\u201d their client to resolve an audio issue. This action downloads a malicious script and installs malware on the device.<\/p>\n

\u201cThis campaign relied on deliberate and carefully planned deception. Attackers replayed videos of previous victims during staged meetings to make the interaction appear like a real call and manipulate new targets. The data collected in this process is then used not only against the initial victim but also exploited to enable subsequent and supply-chain attacks, leveraging established trust relationships to compromise a broader range of organizations and users,\u201d <\/em>comments Sojun Ryu, security researcher at Kaspersky GReAT.<\/p>\n

Attackers used seven multi-stage execution chains, four of which were previously unseen, to distribute a variety of new customized payloads, including crypto stealers, browser credential stealers, secrets stealers, and Telegram credential stealers.\u00a0<\/p>\n

\"\"<\/p>\n

In the GhostHire campaign, the APT targets blockchain developers by posing as recruiters. Victims are deceived into downloading and executing a GitHub repository containing malware, presented as a skill assessment. GhostHire shares its infrastructure and tools with the GhostCall campaign, but instead of using video calls, it focuses on approaching hands-on developers and engineers through fake recruitment efforts. After initial contact, victims are added to a Telegram bot that delivers either a ZIP file or a GitHub link, along with a short deadline to complete the task. Once run, the malware installs itself on the victim\u2019s machine, tailored for the operating system.<\/p>\n

\"\"<\/p>\n

The use of generative AI has enabled BlueNoroff to accelerate malware development and refine its attack methods. The attackers introduced new programming languages and added extra features, making detection and analysis harder. It also helps the actor manage and grow its operations, increasing both the complexity and extent of attacks.\u00a0<\/p>\n

\u201cSince its previous campaigns, the threat actor\u2019s targeting strategy has evolved beyond simple cryptocurrency and browser credential theft. The use of generative AI has significantly accelerated this process, enabling easier malware development with reduced operational overhead. This AI-driven approach helps to fill the gaps in available information, enabling more focused targeting. By combining compromised data with AI\u2019s analytical capabilities, the scope of these attacks has expanded. We hope our research will contribute to preventing further harm,<\/em>\u201d comments Omar Amin, senior security researcher at Kaspersky GReAT.<\/p>\n

More information, together with the indicators of compromise, is available in a report on Securelist.com<\/a>.<\/p>\n

To stay protected from attacks such as GhostCall and GhostHire, organizations are advised to follow these best practices:<\/p>\n