BlueNoroff GhostCall and GhostHire Web3/blockchain targeting campaign
Campaign
Summary
Hide ▲
Show ▼
The BlueNoroff-linked GhostCall and GhostHire campaigns are actively targeting the Web3 and blockchain sectors, putting executives, venture capital staff, and developers at risk across macOS and Windows. The operation has been active since at least mid-2023 and spans victims in multiple countries. Attackers use Telegram, fake Zoom/Microsoft Teams lures, and booby-trapped GitHub projects to push victims into infection chains. The result is a sustained cross-platform campaign aimed at credential theft and follow-on compromise.
Related Happenings
KongTuke ClickFix and Teams access-seeking campaign
Campaign
H score33
First: 25.06.2026 11:54
Last: 25.06.2026 11:54
Sources 1
About this happening:
The **KongTuke** operation is using **ClickFix** lures and **Microsoft Teams** messages to widen access-seeking attacks against **multiple organizations**, increasing the risk of...
KongTuke ClickFix and Teams access-seeking campaign
CampaignAbout this happening: The **KongTuke** operation is using **ClickFix** lures and **Microsoft Teams** messages to widen access-seeking attacks against **multiple organizations**, increasing the risk of...
Ghost Networks crypto-clipper promotion campaign
Campaign
H score15
First: 17.06.2026 21:14
Last: 17.06.2026 21:14
Sources 1
About this happening:
**Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
Ghost Networks crypto-clipper promotion campaign
CampaignAbout this happening: **Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
Contagious Interview UNK_DeadDrop GitHub phishing campaign
Campaign
H score37
First: 15.06.2026 22:32
Last: 15.06.2026 22:32
Sources 1
About this happening:
The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...
Contagious Interview UNK_DeadDrop GitHub phishing campaign
CampaignAbout this happening: The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...
Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program
Threat Actor Meta
H score24
First: 11.06.2026 19:50
Last: 11.06.2026 19:50
Sources 1
About this happening:
**Phantom Mantis** moved **The Gentlemen** from dependence on other ransomware ecosystems into an **independent partnership program**, expanding its operational autonomy and affil...
Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program
Threat Actor MetaAbout this happening: **Phantom Mantis** moved **The Gentlemen** from dependence on other ransomware ecosystems into an **independent partnership program**, expanding its operational autonomy and affil...
UNK_DeadDrop developer phishing campaign using fake job and code-review lures
Campaign
H score30
First: 08.06.2026 18:00
Last: 08.06.2026 18:00
Sources 1
About this happening:
A **UNK_DeadDrop** phishing campaign sent **more than 250 emails** to software developers at **almost 100 organizations**, using fake job and code-review lures to steal **cryptocu...
UNK_DeadDrop developer phishing campaign using fake job and code-review lures
CampaignAbout this happening: A **UNK_DeadDrop** phishing campaign sent **more than 250 emails** to software developers at **almost 100 organizations**, using fake job and code-review lures to steal **cryptocu...
Timeline
-
28.10.2025 18:12 1 articles · 8mo ago
BlueNoroff-linked GhostCall and GhostHire disclosure
Initial DisclosureKaspersky says North Korea-linked BlueNoroff, a Lazarus Group sub-cluster also known as APT38, is running the GhostCall and GhostHire campaigns as part of SnatchCrypto, which has been underway since at least 2017. The operations target Web3 and blockchain victims through Telegram contact, fake Zoom and Microsoft Teams phishing pages, and booby-trapped GitHub projects, with activity reported across macOS and Windows targets in multiple countries.
Show sources
- Researchers Expose GhostCall and GhostHire: BlueNoroff's New Malware Chains — thehackernews.com — 28.10.2025 18:12