Overview
- Kaspersky GReAT detailed the campaigns at the Security Analyst Summit 2025 and on Securelist, attributing them to BlueNoroff, which it links to Lazarus.
- GhostCall focuses on company executives using macOS and uses investor impersonation with fake Teams or Zoom sites that push bogus updates to install malware.
- GhostHire targets blockchain developers through job-offer lures delivered via Telegram bots and GitHub test tasks that lead to device compromise during execution.
- Investigators report at least seven distinct infection chains across the activity, including four not previously documented, operated through a common management setup.
- The tools aim to steal cryptocurrency, credentials and sensitive secrets, and Kaspersky urges role-specific awareness training plus modern protections on corporate endpoints, with extra attention to executive macOS devices.