Security researchers say a North Korea–linked Lazarus sub-group (known as BlueNoroff and by multiple APT aliases) is running twin campaigns — GhostCall and GhostHire — aimed at the Web3 and blockchain ecosystem.

Kaspersky ties the activity to a long-running operation dubbed SnatchCrypto (observed since at least 2017) and reports that victims span macOS and Windows hosts across Japan, Australia and several other countries, with Web3 developers and VC/tech executives singled out.

GhostCall uses social engineering on platforms like Telegram to invite targets to fake investment meetings that appear as live Zoom (and more recently Microsoft Teams) calls. Victims who try to “update” the meeting client are tricked into running AppleScript (or PowerShell on Windows) droppers — notably the DownTroy family — that install backdoors and steal a wide array of secrets (password managers, cloud credentials, developer tokens and blockchain keys). Researchers say the campaign leverages recorded feeds of real victims, staged SDK prompts, and multi-stage implants capable of escalating privileges and exfiltrating data.

GhostHire approaches prospective hires on Telegram with bogus recruiter profiles and a time-pressured coding assessment that includes a booby-trapped GitHub dependency. Executing the assessment triggers OS-specific payloads that deploy the same DownTroy-led toolset and additional backdoors (RooTroy, RealTimeTroy, CosmicDoor, etc.). Kaspersky and other vendors have been tracking the activity since April 2025 (with GhostCall active since mid-2023), warning that the group’s use of generative AI and cross-platform loaders has accelerated malware development and broadened its data-theft objectives beyond simple crypto theft.