BlueNorroff's GhostCall operation targeted technology executives and venture capitalists on macOS by using Telegram-style investment lures and fake Zoom meetings that pushed victims to run a malicious update script. The script downloaded a ZIP payload and enabled theft of crypto wallet data, keychain contents, package-manager and infrastructure details, cloud and DevOps information, API keys, browser credentials, messenger data, Telegram data, and notes. GhostHire used recruitment-themed GitHub repositories disguised as Web3 developer assessments and worked across operating systems to steal sensitive data. Securelist linked GhostCall and GhostHire through shared infrastructure, and the DNS analysis expanded on 39 domain IOCs, suspicious update-themed domains, active resolving IPs, historical WHOIS connections, and DNS traffic involving 1,345 unique client IP addresses.