BlueNoroff's latest campaigns: GhostCall and GhostHire
2025-10-28 • Kaspersky •
https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842/
BlueNoroff, also tracked as APT38, Sapphire Sleet, Alluring Pisces, Stardust Chollima, and TA444, is described as continuing SnatchCrypto operations against Web3 and blockchain developers, executives, venture capital targets, and technology companies. GhostCall uses Telegram outreach, investment or partnership lures, Calendly scheduling, and fake Zoom or Microsoft Teams meeting sites that replay secretly recorded victim webcam footage before prompting a malicious macOS AppleScript update or Windows ClickFix-style clipboard command. The macOS chains download staged AppleScripts, fake Zoom or Teams applications, DownTroy components, stealers, and keyloggers that collect cryptocurrency wallet data, Keychain material, DevOps and cloud secrets, notes, OpenAI API keys, browser credentials, messenger data, and Telegram artifacts. GhostHire targets Web3 developers through fake recruiting and timed coding assessments delivered by Telegram bot as ZIP files or GitHub repositories, with payloads selected by user agent and sharing structural similarities and identical malware with GhostCall. The report matters for DPRK-focused tracking because it shows BlueNoroff refining social engineering, macOS tradecraft, fake meeting infrastructure, and credential-theft capabilities around cryptocurrency and startup-sector targets.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| URL | http://web071zoom.us/fix/audio-… | 2025-10-28 | 2026-01-01 |
| URL | http://web071zoom.us/fix/audio-… | 2025-10-28 | 2026-01-01 |
| DOMAIN | safeupload.online | 2025-10-28 | 2026-01-01 |
| DOMAIN | web071zoom.us | 2025-10-28 | 2026-01-01 |
| DOMAIN | real-update.xyz | 2025-10-28 | 2025-11-29 |
| HASH | 7581854ff6c890684823f3aed03c210f | 2025-10-28 | 2025-10-28 |
| HASH | a26f2b97ca4e2b4b5d58933900f02131 | 2025-10-28 | 2025-10-28 |
| HASH | 3bbe4dfe3134c8a7928d10c948e20bee | 2025-10-28 | 2025-10-28 |
| HASH | 8f8942cd14f646f59729f83cbd4c357b | 2025-10-28 | 2025-10-28 |
| HASH | b3cc15c1033de79024f9cf3cd6a6a7a… | 2025-10-28 | 2025-10-28 |
| HASH | c446682f33641cff21083ac2ce477dbe | 2025-10-28 | 2025-10-28 |
| HASH | c6f0c8d41b9ad4f079161548d2435d80 | 2025-10-28 | 2025-10-28 |
| HASH | 5ad40a5fd18a1b57b69c44bc2963dc6b | 2025-10-28 | 2025-10-28 |
| HASH | a6ce961f487b4cbdfe68d0a249647c48 | 2025-10-28 | 2025-10-28 |
| HASH | 963f473f1734d8b3fbb8c9a227c06d07 | 2025-10-28 | 2025-10-28 |
| HASH | b567bfdaac131a2d8a23ad8fd450a31d | 2025-10-28 | 2025-10-28 |
| HASH | 261a409946b6b4d9ce706242a76134e3 | 2025-10-28 | 2025-10-28 |
| HASH | 01d3ed1c228f09d8e56bfbc5f5622a6c | 2025-10-28 | 2025-10-28 |
| HASH | 1ee10fa01587cec51f455ceec779a160 | 2025-10-28 | 2025-10-28 |
| HASH | 931cec3c80c78d233e3602a042a2e71b | 2025-10-28 | 2025-10-28 |
| HASH | 19a7e16332a6860b65e6944f1f3c5001 | 2025-10-28 | 2025-10-28 |
| HASH | b2e9a6412fd7c068a5d7c38d0afd946f | 2025-10-28 | 2025-10-28 |
| HASH | 76ace3a6892c25512b17ed42ac2ebd05 | 2025-10-28 | 2025-10-28 |
| HASH | 8006efb8dd703073197e5a27682b35bf | 2025-10-28 | 2025-10-28 |
| HASH | 6aa93664b4852cb5bad84ba1a187f645 | 2025-10-28 | 2025-10-28 |
| HASH | 358c2969041c8be74ce478edb2ffcd19 | 2025-10-28 | 2025-10-28 |
| HASH | a0eb7e480752d494709c63aa35ccf36c | 2025-10-28 | 2025-10-28 |
| HASH | de93e85199240de761a8ba0a56f0088d | 2025-10-28 | 2025-10-28 |
| HASH | f1d2af27b13cd3424556b18dfd3cf83f | 2025-10-28 | 2025-10-28 |
| HASH | 31b88dd319af8e4b8a96fc9732ebc708 | 2025-10-28 | 2025-10-28 |
| HASH | 60bfe4f378e9f5a84183ac505a032228 | 2025-10-28 | 2025-10-28 |
| HASH | 5b77f83ecefa0e32ba922f61c9efff7… | 2025-10-28 | 2025-10-28 |
| HASH | 10cd1ef394bc2a2d8d8f2558b73ac7b8 | 2025-10-28 | 2025-10-28 |
| HASH | eda0525c078f5a216a977bc64e86160a | 2025-10-28 | 2025-10-28 |
| HASH | 6422795a6df10c45c1006f92d686ee7e | 2025-10-28 | 2025-10-28 |
| HASH | d63805e89053716b6ab93ce6decf8450 | 2025-10-28 | 2025-10-28 |
| HASH | 6348b49f3499d760797247b94385fda3 | 2025-10-28 | 2025-10-28 |
| HASH | e33f942cf1479ca8530a916868bad954 | 2025-10-28 | 2025-10-28 |
| HASH | 0ca37675d75af0e7def0025cd564d6c5 | 2025-10-28 | 2025-10-28 |
| HASH | 7168ce5c6e5545a5b389db09c90038da | 2025-10-28 | 2025-10-28 |
| HASH | b494a0ae421afe170f6cb9de2c1193a… | 2025-10-28 | 2025-10-28 |
| HASH | 1243968876262c3ad4250e1371447b23 | 2025-10-28 | 2025-10-28 |
| HASH | e9fdd703e60b31eb803b1b59985cabec | 2025-10-28 | 2025-10-28 |
| HASH | d8529855fab4b4aa6c2b34449cb3b9fb | 2025-10-28 | 2025-10-28 |
| HASH | 7f94ed2d5f566c12de5ebe4b5e3d8aa3 | 2025-10-28 | 2025-10-28 |
| HASH | 00dd47af3db45548d2722fe8a4489508 | 2025-10-28 | 2025-10-28 |
| HASH | 389447013870120775556bb4519dba97 | 2025-10-28 | 2025-10-28 |
| HASH | f8bb2528bf35f8c11fbc4369e68c4038 | 2025-10-28 | 2025-10-28 |
| HASH | ab1e8693931f8c694247d96cf5a85197 | 2025-10-28 | 2025-10-28 |
| HASH | c42c7a2ea1c2f00dddb0cc4c8bfb5bcf | 2025-10-28 | 2025-10-28 |
| HASH | 71b743c529f0b27735f7774a0903cb9… | 2025-10-28 | 2025-10-28 |
| HASH | 17baae144d383e4dc32f1bf69700e587 | 2025-10-28 | 2025-10-28 |
| HASH | 9551b4af789b2db563f9452eaf46b6aa | 2025-10-28 | 2025-10-28 |
| HASH | e8680d17fba6425e4a9bb552fb8db2b1 | 2025-10-28 | 2025-10-28 |
| HASH | 2c42253ebf9a743814b9b16a89522bef | 2025-10-28 | 2025-10-28 |
| HASH | 5cb4f0084f3c25e640952753ed5b25d0 | 2025-10-28 | 2025-10-28 |
| HASH | a6c1a7ce43b029a1ef4ae69b26f7454… | 2025-10-28 | 2025-10-28 |
| HASH | 4451ee8bc53ea7c148d8348bc7b82ac… | 2025-10-28 | 2025-10-28 |
| HASH | 7e50c3f301dd045eb189ba1644ded155 | 2025-10-28 | 2025-10-28 |
| HASH | 0af11f610da1f691e43173d44643283f | 2025-10-28 | 2025-10-28 |
| HASH | 38c8d80dd32d00e9c9440a498f7dd739 | 2025-10-28 | 2025-10-28 |
| HASH | a070b77c5028d7a5d2895f1c9d35016f | 2025-10-28 | 2025-10-28 |
| HASH | 50f341b24cb75f37d042d1e5f9e3e5aa | 2025-10-28 | 2025-10-28 |
| HASH | 2b499eb3865a7ef17264d15252b7f73e | 2025-10-28 | 2025-10-28 |
| HASH | f1bad0efbd3bd5a4202fe740756f977a | 2025-10-28 | 2025-10-28 |
| URL | https://support.ms-live.us/regi… | 2025-10-28 | 2025-10-28 |
| URL | https://bots.autoupdate.online:… | 2025-10-28 | 2025-10-28 |
| URL | http://web071zoom.us/fix/audio/… | 2025-10-28 | 2025-10-28 |
| URL | https://chkactive.online/update | 2025-10-28 | 2025-10-28 |
| URL | https://api.flashstore.sbs/uplo… | 2025-10-28 | 2025-10-28 |
| URL | https://support.ms-live.us/upda… | 2025-10-28 | 2025-10-28 |
| URL | https://flashserve.store/update | 2025-10-28 | 2025-10-28 |
| URL | https://filedrive.online/upload… | 2025-10-28 | 2025-10-28 |
| URL | https://api.flashstore.sbs/test | 2025-10-28 | 2025-10-28 |
| URL | https://api.clearit.sbs/uploadf… | 2025-10-28 | 2025-10-28 |
| URL | https://support.ms-live.us/3016… | 2025-10-28 | 2025-10-28 |
| URL | https://cloud-server.store/upda… | 2025-10-28 | 2025-10-28 |
| URL | https://safeupload.online/uploa… | 2025-10-28 | 2025-10-28 |
| URL | https://urgent-update.cloud/upl… | 2025-10-28 | 2025-10-28 |
| URL | https://file-server.store/update | 2025-10-28 | 2025-10-28 |
| URL | https://api.clearit.sbs/test | 2025-10-28 | 2025-10-28 |
| DOMAIN | root.security-update.xyz | 2025-10-28 | 2025-10-28 |
| DOMAIN | signsafe.xyz | 2025-10-28 | 2025-10-28 |
| DOMAIN | chkactive.online | 2025-10-28 | 2025-10-28 |
| DOMAIN | file-server.store | 2025-10-28 | 2025-10-28 |
| DOMAIN | first.system-update.xyz | 2025-10-28 | 2025-10-28 |
| DOMAIN | image-support.xyz | 2025-10-28 | 2025-10-28 |
| DOMAIN | filedrive.online | 2025-10-28 | 2025-10-28 |
| DOMAIN | support.ms-live.us | 2025-10-28 | 2025-10-28 |
| DOMAIN | cloud-server.store | 2025-10-28 | 2025-10-28 |
| DOMAIN | api.clearit.sbs | 2025-10-28 | 2025-10-28 |
| DOMAIN | api.flashstore.sbs | 2025-10-28 | 2025-10-28 |
| DOMAIN | botsc.autoupdate.xyz | 2025-10-28 | 2025-10-28 |
| DOMAIN | urgent-update.cloud | 2025-10-28 | 2025-10-28 |
| DOMAIN | flashserve.store | 2025-10-28 | 2025-10-28 |
| DOMAIN | bots.autoupdate.online | 2025-10-28 | 2025-10-28 |
| URL | https://dataupload.store/upload… | 2025-07-02 | 2025-10-28 |
| HASH | 73d26eb56e5a3426884733c104c3f625 | 2025-06-20 | 2025-10-28 |
| HASH | 1653d75d579872fadec1f22cf7fee3c0 | 2025-06-20 | 2025-10-28 |
| HASH | c4db903322d17c8cbf1d1db55124854… | 2025-06-18 | 2025-10-28 |
| HASH | 3dd226d0b700f33974f409142defb62… | 2025-06-18 | 2025-10-28 |
| URL | https://metamask.awaitingfor.si… | 2025-06-18 | 2025-10-28 |
| DOMAIN | metamask.awaitingfor.site | 2025-06-18 | 2025-10-28 |
| DOMAIN | safefor.xyz | 2025-06-18 | 2025-10-28 |
| DOMAIN | readysafe.xyz | 2025-06-18 | 2025-10-28 |
| URL | https://writeup.live/test | 2025-04-23 | 2025-10-28 |
| URL | https://safeup.store/test | 2025-04-23 | 2025-10-28 |
| DOMAIN | safeup.store | 2025-04-23 | 2025-10-28 |
| DOMAIN | dataupload.store | 2025-04-23 | 2025-10-28 |
| DOMAIN | writeup.live | 2025-04-23 | 2025-10-28 |
| URL | https://download.datatabletempl… | 2025-04-09 | 2025-10-28 |
| DOMAIN | download.datatabletemplate.xyz | 2025-04-09 | 2025-10-28 |
| HASH | 529fe6eff1cf452680976087e2250c02 | 2024-11-08 | 2025-10-28 |
| IPv4 | 104.168.214.151 | 2023-11-07 | 2025-10-28 |
Related Actors
Related Reports
Shares tags: Bluenoroff, GhostCall, SysPhon • Same author: Kaspersky
Shares tags: Bluenoroff, GhostCall, GhostHire • Shares 1 IOC
Shares tag: Bluenoroff • Published within a month
Shares tags: Bluenoroff, macOS • Same author: Kaspersky
Shares tags: Bluenoroff, macOS • Shares 6 IOCs
2026-01-29 •
41% Match
North Korea’s “Prospect Call” Trap: Lazarus Turns Teams Meetings into macOS Credential Theft
Daylight
Shares tags: Bluenoroff, GhostCall