DPRK's BlueNoroff Expands Scope of Crypto Heists TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsVulnerabilities & ThreatsOracle EBS Attack Victims May Be More Numerous Than ExpectedOracle EBS Attack Victims May Be More Numerous Than ExpectedbyAlexander CulafiOct 28, 20253 Min ReadVulnerabilities & ThreatsMemento Spyware Tied to Chrome Zero-Day AttacksMemento Spyware Tied to Chrome Zero-Day AttacksbyRob WrightOct 27, 20254 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsLibraryNewslettersPodcastsReportsVideosWebinarsWhite papers Partner PerspectivesSEE ALLThreat IntelligenceCyberattacks & Data BreachesRemote WorkforceVulnerabilities & ThreatsNewsNorth Korea's BlueNoroff Expands Scope of Crypto HeistsNorth Korea's BlueNoroff Expands Scope of Crypto HeistsNorth Korea's BlueNoroff Expands Scope of Crypto HeistsTwo campaigns targeting fintech execs and Web3 developers show the APT going cross-platform in financially motivated campaigns that use fake business collaboration and job recruitment lures.Elizabeth Montalbano, Contributing WriterOctober 28, 20255 Min ReadSource: DD Images via ShutterstockNorth Korean advanced persistent threat (APT) Blue Noroff continues to hammer macOS platforms in its quest to steal cryptocurrency and fund the regime of Kim Jong-Un. However, analysis of two fresh campaigns this year demonstrates that the group is shifting its focus to Windows platforms and other endeavors, too, as well as bolstering its use of generative AI in creating new malware.BlueNoroff, which is also known as Sapphire Sleet, APT38, and other names, has quietly been executing its two-year (and counting) SnatchCrypto operation through two campaigns, dubbed GhostCall and GhostHire by researchers at Kaspersky, who have been tracking the campaigns since April and outlined their latest findings in a blog post published today. The first campaign targets technology and venture capital (VC) executives and the second targets Web3 developers, both using sophisticated social engineering and various malware to steal credentials and other data from victims.BlueNoroff is already well known among security researchers as a North Korean actor focused on financial gain by targeting financial institutions, such as banks, VC firms, crypto exchanges, and startups, as well as the individuals who use them. This year's campaigns demonstrate the actor continuing to evolve beyond its focused targeting of macOS platforms as it experiments with AI to streamline operations and uses advanced malware to achieve its financial aims, according to Kaspersky.Related:Tired of Unpaid Toll Texts? Blame the 'Smishing Triad'"Our research indicates a sustained effort by the actor to develop malware targeting both Windows and macOS systems, orchestrated through a unified command-and-control (C2) infrastructure," Kaspersky's Sojun Ryu wrote in the post. "The use of generative AI has significantly accelerated this process, enabling more efficient malware development with reduced operational overhead."Blue Noroff also shows signs of expanding beyond its usual efforts to steal credentials and crypto into "comprehensive data acquisition across a range of assets, with the intent of exploiting the data not only against the initial target but also to facilitate subsequent attacks," he wrote. This can enable the actor to execute supply chain attacks and leverage established trust relationships to impact a broader range of users.GhostCall Expands Its AuthenticityThe GhostCall campaign targets macOS devices of tech and venture capital executives through platforms such as Telegram, inviting them to collaborate on a potential investment opportunity or partnership. In some cases, the messages come from the compromised accounts of real entrepreneurs and startup founders, lending to their authenticity, Ryu said. Related:Russia Pivots, Cracks Down on Resident HackersThese messages are linked to Zoom-like phishing websites, on which a victim can join a fake call "with genuine recordings of this threat's other actual victims rather than deepfakes," Ryu wrote in the post. If the call proceeds smoothly, the perpetrator encourages the user to update the Zoom client with a script that eventually downloads zip files that lead to the infection chain, he said.Kaspersky acknowledged that various security researchers from Microsoft, Huntability, Huntress, Field Effect, and SentinelOne also have been tracking and already published findings on GhostCall, though they did not call it as such. Kaspersky's reporting covers new malware chains and insights into the campaign.For instance, in September Kaspersky discovered that the group shifted to using Microsoft Teams as a platform for the fake meetings. "Upon entering the meeting room, a prompt specific to the target's operating system appears almost immediately after the background video starts — unlike before," Ryu wrote. "While this is largely similar to Zoom, macOS users also see a separate prompt asking them to download the SDK file."Related:Verizon: Mobile Blindspot Leads to Needless Data BreachesThe researchers also observed various malware being dispatched via a multistage execution process. Payloads in the campaign include the DownTroy malware loader, RealTimeTroy backdoor, SilentSiphon multicredential stealer, and the CosmicDoor remote-control malware, among others.Fake Recruiters Go Cross-PlatformGhostHire, meanwhile, approaches Web3 developers and tricks targets into downloading and executing a GitHub repository containing malware under the guise of assessing their skills during the job-recruitment process. Indeed, North Korean threat actors are infamous for using job recruitment as a lure, and have even successfully been hired for freelance jobs themselves to try to infiltrate US organizations.The latest incarnation of the GhostHire campaign demonstrates cross-platform capability, as it chooses its ultimate payload according to the user agent, "which identifies the operating system being used by the victim," Ryu wrote.After initial contact and a brief screening, the "recruiter" adds the user to a Telegram bot, which then sends either a zip file or a GitHub link, after which the applicant has 30 minutes to complete a task. This puts pressure on the victim to quickly run a malicious project that, once executed, downloads the payload onto the user's system."The project delivered through the ZIP file appears to be a legitimate DeFi-related project written in Go, aiming at routing cryptocurrency transactions across various protocols," Ryu wrote. "The main project code relies on an external malicious dependency specified in the go.mod file, rather than embedding malicious code directly into the project’s own files."The external project used by Blue Noroff in the campaign is named uniroute, and was published in the official Go packages repository on April 9 of this year, he added. Other malware distributed in GhostHire is similar to that of GhostCall, including DownTroy and RealTime Troy, as well as a Windows version of CosmicDoor, among others.Expansion of Kim-Supported EffortsBlue Noroff's malicious activity this year on behalf of North Korea's leader demonstrates that the group is widening its tool set and expanding into platforms beyond macOS, as well as honing its use of social engineering and AI to move more quickly and with more agility, according to Kaspersky."The AI-powered, tailored approach enables the attackers to convincingly disguise themselves, operating with detailed information, allowing for more meticulous targeted attacks," Ryu wrote. "By combining compromised data with AI's analytical and productive capabilities, the actor's attack success rate has demonstrably increased."To help defenders track Blue Noroff, Kaspersky published a comprehensive list of indicators of compromise in the blog post, including ones associated with the various malware deployed in the campaigns. In general, any business professional should be wary of being propositioned or contacted by people they don't know with employment offers or opportunities to collaborate, and should always verify the identity and authenticity of those soliciting them before engaging.About the AuthorElizabeth Montalbano, Contributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.See more from Elizabeth Montalbano, Contributing WriterMore InsightsIndustry ReportsMiercom Test Results: PA-5450 Firewall WinsSecurity Without Compromise Better security, higher performance and lower TCOThe Total Economic Impact™ Of Palo Alto Networks NextGeneration FirewallsHow Enterprises Are Harnessing Emerging Technologies in CybersecurityWorldwide Security Information and Event Management Forecast, 2025--2029: Continued Payment for One's SIEMsAccess More ResearchWebinarsThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsElectronic Warfare Puts Commercial GPS Users on NoticeElectronic Warfare Puts Commercial GPS Users on NoticebyRobert Lemos, Contributing WriterOct 21, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeNov 13, 2025During this event, we'll examine the most prolific threat actors in cybercrime and cyber espionage, and how they target and infiltrate their victims.Secure Your SeatWebinarsThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterTues, Nov 18, 2025 at 1pm ESTSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedThu, Oct 23, 2025 at 11am ESTMore WebinarsWhite PapersThe NHI Buyers GuideThe AI Security GuideTop 10 Identity-Centric Security Risks of Autonomous AI AgentsModern DevSecOps: 6 Best Practices for AI-Accelerated SecurityThriving in the Age of AI: 6 Best Practices for Secure InnovationExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

Blue Noroff, the North‑Korean advanced persistent threat also called Sapphire Sleet or APT38, has been persistently targeting financial services, venture capital firms, crypto exchanges and startups for over two years, mainly on macOS devices. Two new campaigns, dubbed GhostCall and GhostHire, demonstrate that the actor is broadening its reach to Windows platforms and adopting generative‑AI techniques to accelerate malware development and social‑engineering attacks. The evolution is highlighted by the addition of novel malware strings—DownTroy, RealTimeTroy, SilentSiphon, and CosmicDoor—alongside existing toolkits, and a refined use of command‑and‑control infrastructure that spans both operating systems.

GhostCall has been refined to masquerade as legitimate investment or partnership conversations on Telegram, often spoofing accounts of real entrepreneurs to gain credibility. Recruiters lure tech and venture‑capital executives into what appear to be Zoom or Microsoft Teams meetings. Once a target joins the call, a system‑specific prompt appears almost immediately—macOS users see a prompt to download an SDK, Windows users a similar installer—that triggers a download of a zipped archive containing a chain of malicious payloads. The investigators at Kaspersky identified that the initial delivery leverages a multi‑stage execution path comprising the DownTroy loader, which hands off control to the RealTimeTroy backdoor, while a SilentSiphon component steals credential sets. The CosmicDoor malware arrives later, providing remote‑control capabilities. Microsoft, Huntability, Huntress, Field Effect and SentinelOne had also been tracking this progression, though not under the GhostCall moniker, underscoring the campaign’s breadth.

GhostHire, by contrast, targets Web3 developers via a fake recruitment process. A recruiter, embedded in Telegram after a short initial vetting, sends the applicant a zip file or a GitHub link containing a Go‑based DeFi project designed to route cryptocurrency transactions across multiple protocols. The malicious payload is not embedded directly within the project’s internal code; instead, it is supplied as an external dependency referenced in the go.mod file, a technique that obfuscates the malicious nature of the code. The dependency, named uniroute, was published publicly on April 9 and is subsequently executed when a developer attempts to compile or run the project. The attacker also uses a cross‑platform approach: a Windows‑specific CosmicDoor payload is delivered for Windows users, while macOS users receive a variant of SilentSiphon or DownTroy. The pressure of a limited 30‑minute window and a competitive job offer pushes victims toward executing the malicious code before the deadline, thereby maximizing infection rates.

In addition to these social‑engineering vectors, Blue Noroff is expanding beyond credential theft to comprehensive data acquisition. The actor now seeks to collect “comprehensive data across a range of assets,” providing the potential to launch supply‑chain or follow‑up attacks that exploit stolen data or established trust relationships. The integration of generative AI is seen as a key driver of this expansion, enabling rapid malware iteration, tailored phishing messages, and a higher success rate in deceiving a wider range of targets. Kaspersky’s Sojun Ryu underscores that the generative AI has “significantly accelerated the process, enabling more efficient malware development with reduced operational overhead.”

The group’s campaigns are well documented, and the analysts have listed indicators of compromise specific to each payload and delivery channel. Affected organizations should be wary of unsolicited collaboration or job offers from unfamiliar parties, even if the messages appear to come through legitimate channels like Telegram, Zoom, or Teams. Verification of the source and the authenticity of the opportunity is essential, as is caution when encountering seemingly legitimate GitHub repositories or Go modules with unfamiliar external dependencies.

Elizabeth Montalbano, contributing writer for this piece, consolidates the findings from Kaspersky’s research and other security observers to paint a clear picture of an actor that is both financially motivated and technologically sophisticated. The article stresses that, while macOS remains a primary focus, the shift toward Windows and cross‑platform infiltration marks a significant broadening of Blue Noroff’s operational scope. The inclusion of generative AI and more elaborate social‑engineering schemes illustrates the group’s adaptive strategy, making its threats more efficient and harder to detect.

In summary, Blue Noroff is advancing its ransomware, data‑exfiltration, and crypto‑theft operations by expanding platform support, refining social‑engineering lures, and embracing AI‑enabled malware development. The GhostCall and GhostHire campaigns showcase a cross‑platform, AI‑driven assault that leverages legitimate-looking collaboration or recruitment prompts to deliver malicious code, underscoring the need for heightened vigilance among professionals in technology, venture capital, and the broader crypto ecosystem.