AI Deception: BlueNoroff APT Uses Fake Zoom Calls to Hack Web3 Executives

The BlueNoroff group — long linked to Lazarus — has begun incorporating generative AI into operations targeting executives and developers of blockchain projects, Kaspersky GReAT researchers reported at the Security Analyst Summit 2025 in Thailand. Since April 2025 they have observed two active campaigns, GhostCall and GhostHire, aimed at cryptocurrency and Web3 organisations across India, Turkey, Australia and multiple countries in Europe and Asia. The intrusions affect both macOS and Windows hosts and are orchestrated through a common infrastructure.

BlueNoroff continues to evolve its broader SnatchCrypto effort against firms dealing in cryptocurrencies, DeFi and smart contracts; GhostCall and GhostHire introduce fresh intrusion techniques and malware produced with AI assistance.

GhostCall focuses on macOS endpoints and relies on highly polished social-engineering scripts. Attackers contact victims via Telegram, posing as venture capital investors—and sometimes operating from compromised accounts of real entrepreneurs—to lure targets into faux “investment meetings” hosted on counterfeit Zoom- or Teams-like web pages. During the staged call victims are prompted to “update the client to fix an audio issue,” which triggers the download of a malicious script.

To lend plausibility, adversaries play pre-recorded video segments during these staged meetings, creating the illusion of live dialogue. These recordings are subsequently leveraged in supply-chain style operations, exploiting trust between partners and contractors to widen the infection footprint.

Kaspersky’s analysis shows GhostCall distributed new classes of malware — including tools for stealing cryptocurrency, exfiltrating Telegram data and harvesting browser credentials. The investigators identified seven complex infection chains, four of which appear previously unseen.

GhostHire is tailored to blockchain developers. Attackers masquerade as recruiters offering a “test task” and send a link to a GitHub repository that conceals a malicious payload; executing the test infects the victim’s system. The campaign also employs Telegram bots and fabricated job listings. To accelerate compromise, attackers artificially constrain the time allotted for the test, coercing rushed actions and bypassing careful verification.

Both campaigns share tooling and backend infrastructure. Compared with earlier BlueNoroff activity, these operations are larger and more sophisticated: the use of generative AI accelerates malware development, broadens programming-language support and expands functionality, all of which increase stealth and complicate forensic analysis. Researchers warn that attackers now leverage AI not only to produce malicious code but to analyse intelligence, select targets with surgical precision, and scale campaigns more effectively.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy