On December 9, the Global Research and Analysis Team (GReAT) of cybersecurity company Kaspersky revealed the latest activities of the APT BlueNoroff holiday group through two sophisticated targeted attack campaigns GhostCall and GhostHire.
These campaigns target Web3 and cryptocurrency organizations in India, Turkey, Australia and many countries in Europe and Asia, and have been taking place since at least April 2025.
The GhostCall and GhostHire campaigns are said to use new breaking techniques and custom-designed malware, aiming to penetrate developers' systems and attack senior leaders of blockchain organizations and businesses. These attacks mainly targeted the MacOS and Windows operating systems, and were coordinated through a unified command- control infrastructure.
The use of generative AI has helped BlueNoroff speed up the development of malware and refine attack techniques. The attacker added new programming languages and more features to make detection and analysis more difficult. AI also helps attack groups manage and expand operations more effectively, making the sophistication and range of attacks even higher.
Since previous campaigns, the attack groups targeting tactics have developed beyond the scope of stealing cryptocurrency or browser login information, said Omar Amin, senior security expert at Kaspersky GReAT. The use of generative AI has accelerated this process, making it easier for them to develop malware and reduce operating costs, expanding the scope of attacks.
To protect against attacks like GhostCall and GhostHire, organizations are recommended to take the following measures:
- Be careful with attractive offers or investment proposals. Always verify the identity of any new contacts, especially if they access them via Telegram, LinkedIn or other social media platforms. Use authenticated and secure internal communication channels for exchanges containing sensitive information.
- Always consider the possibility that an acquaintance's account has been taken over. Verify through another communication channel before opening any file or link, and make sure the domain name you are accessing is the correct correct official name. Avoid running unverified code or commands just to correct the error.
- Use cybersecurity solutions to provide real-time protection, threat monitoring, investigation and quick response capabilities for businesses of all sizes and fields.
- Use Managed Security Services, providing solutions to comprehensively resolve incidents: from detecting threats to continuous protection and overcoming consequences, helping businesses fight sophisticated attacks, investigating incidents and adding expertise, even when businesses lack specialized personnel in charge of cyber security.
- Equip the information security team (InfoSec) with the ability to closely observe the threats targeting the organization.
