BlueNoroff Expands Cyberattacks with AI-Driven Campaigns Targeting Executives

Kaspersky researchers Global Research and Analysis Team (GReAT) has revealed new details about BlueNoroff, a subdivision of the North Korean Lazarus Group, and its latest campaigns — GhostCall and GhostHire. 

Announced by Kaspersky researchers at the Security Analyst Summit in Thailand in October 2025, these operations demonstrate the group’s expanding use of artificial intelligence (AI) to develop advanced malware targeting organizations across multiple continents.

SnatchCrypto strikes across continents

Since April 2025, BlueNoroff has executed highly targeted campaigns against Web3 and cryptocurrency organizations in India, Turkey, Australia, and several European and Asian nations. 

The group’s attacks, part of its ongoing SnatchCrypto campaign, aim to infiltrate and exfiltrate data from companies involved in blockchain development, digital finance, and emerging crypto technologies.

BlueNoroff’s operations stand out for their dual-platform reach, targeting both Windows and macOS systems. 

These attacks are managed through a unified command-and-control infrastructure that enables centralized control of multiple infection chains. 

The result is an adaptable and persistent threat capable of compromising executives’ personal and corporate environments simultaneously.

GhostCall’s fake meetings, real malware

The GhostCall campaign focuses primarily on macOS users, employing a blend of social engineering and AI-powered deception. 

Attackers initiate contact via Telegram, impersonating venture capitalists or even using hijacked accounts of real entrepreneurs to propose partnerships or investments. 

Victims are lured into joining fake investment meetings hosted on phishing pages mimicking Zoom or Microsoft Teams.

During these staged calls, targets are prompted to install a supposed “update” to fix a technical issue. In reality, this installs a malicious script that deploys a multi-stage infection chain. Kaspersky researchers uncovered at least seven execution sequences, four of which were previously unknown. 

These payloads include cryptocurrency stealers, browser and Telegram credential extractors, and secrets stealers designed to harvest sensitive corporate data.

In one particularly sophisticated twist, attackers replayed videos of past victims to make the interactions appear authentic, deepening their psychological manipulation. 

According to Kaspersky researchers, this deliberate use of deception turns the data from each compromise into fuel for future attacks, extending the threat beyond the original target. 

GhostHire: When fake recruiters attack

The GhostHire campaign mirrors the tactics of GhostCall but focuses on developers and engineers. 

In this campaign, the attackers pose as recruiters for blockchain or technology firms, reaching out through social platforms and Telegram. 

Victims are invited to complete technical assessments by downloading a GitHub repository, which secretly contains malware tailored to their operating system.

Once executed, the malicious files install persistence mechanisms that allow ongoing surveillance and data exfiltration. 

The campaign uses the same command infrastructure as GhostCall, indicating a unified operation with multiple entry points.

Generative AI fuels smarter attacks

A defining characteristic of these campaigns is BlueNoroff’s integration of generative AI into its attack development and operational workflows. 

By automating code creation and analysis, AI accelerates the group’s malware evolution while reducing the need for manual effort. 

This AI-driven approach also enables more precise targeting. Compromised data from one attack is analyzed to generate profiles of high-value victims, allowing the group to personalize lures and infiltrate related organizations with surgical accuracy.

Building human and technical resilience

To defend against AI-enhanced campaigns like GhostCall and GhostHire, Kaspersky advises organizations to reinforce both technological and human defenses.  

• Verify all unsolicited contacts: Be skeptical of investment offers or job opportunities received via Telegram, LinkedIn, or other social platforms. Confirm identities through trusted channels before responding.
• Use secure communication platforms: Conduct sensitive business discussions only through verified, encrypted corporate tools. Avoid joining online meetings via unknown or redirected URLs.
• Assume account compromise is possible: Even if a message appears to come from a known contact, confirm through a secondary method before downloading attachments or clicking links.
• Enforce least-privilege access: Limit administrative privileges and monitor privileged accounts for abnormal activity.
• Implement endpoint detection and response (EDR): Deploy advanced monitoring tools capable of identifying behavior anomalies associated with social engineering and credential theft.
• Regularly patch systems: Keep operating systems and other software current to minimize exposure to known vulnerabilities.
• Educate employees: Train staff to recognize phishing attempts, social engineering tactics, and the red flags of fraudulent recruitment or investment schemes.

Implementing these measures helps organizations reduce the risk of social engineering and credential theft by closing common human and technical attack paths.

BlueNoroff’s latest operations underscore a growing trend: AI is no longer just a defensive tool — it’s being weaponized to enhance deception and scale cybercrime. 

By combining psychological manipulation, automation, and advanced malware development, the group continues to blur the line between technical intrusion and social exploitation.

Organizations must assume that even trusted communications may be compromised. 

Proactive identity verification, behavioral monitoring, and layered security architectures remain the strongest defense against an increasingly intelligent adversary.

Zero-trust architecture helps bridge the gap between human vulnerability and machine-driven manipulation, ensuring every access request is authenticated and authorized.