BlueNoroff GhostCall and GhostHire Web3/blockchain targeting campaign
Campaign
Summary
Hide ▲
Show ▼
The BlueNoroff-linked GhostCall and GhostHire campaigns are actively targeting the Web3 and blockchain sectors, putting executives, venture capital staff, and developers at risk across macOS and Windows. The operation has been active since at least mid-2023 and spans victims in multiple countries. Attackers use Telegram, fake Zoom/Microsoft Teams lures, and booby-trapped GitHub projects to push victims into infection chains. The result is a sustained cross-platform campaign aimed at credential theft and follow-on compromise.
Related Happenings
Contagious Interview UNK_DeadDrop GitHub phishing campaign
Campaign
H score37
First: 15.06.2026 22:32
Last: 15.06.2026 22:32
Sources 1
About this happening:
The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...
Contagious Interview UNK_DeadDrop GitHub phishing campaign
CampaignAbout this happening: The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...
Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program
Threat Actor Meta
H score24
First: 11.06.2026 19:50
Last: 11.06.2026 19:50
Sources 1
About this happening:
**Phantom Mantis** moved **The Gentlemen** from dependence on other ransomware ecosystems into an **independent partnership program**, expanding its operational autonomy and affil...
Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program
Threat Actor MetaAbout this happening: **Phantom Mantis** moved **The Gentlemen** from dependence on other ransomware ecosystems into an **independent partnership program**, expanding its operational autonomy and affil...
UNK_DeadDrop developer phishing campaign using fake job and code-review lures
Campaign
H score30
First: 08.06.2026 18:00
Last: 08.06.2026 18:00
Sources 1
About this happening:
A **UNK_DeadDrop** phishing campaign sent **more than 250 emails** to software developers at **almost 100 organizations**, using fake job and code-review lures to steal **cryptocu...
UNK_DeadDrop developer phishing campaign using fake job and code-review lures
CampaignAbout this happening: A **UNK_DeadDrop** phishing campaign sent **more than 250 emails** to software developers at **almost 100 organizations**, using fake job and code-review lures to steal **cryptocu...
CL-CRI-1089 Operation FlutterBridge macOS malvertising campaign
Campaign
H score33
First: 04.06.2026 14:19
Last: 04.06.2026 14:19
Sources 1
About this happening:
A **macOS malvertising campaign** is delivering **FlutterShell** through malicious ads and trojanized apps, expanding browser-hijacking and backdoor risk across **the U.S., Canada...
CL-CRI-1089 Operation FlutterBridge macOS malvertising campaign
CampaignAbout this happening: A **macOS malvertising campaign** is delivering **FlutterShell** through malicious ads and trojanized apps, expanding browser-hijacking and backdoor risk across **the U.S., Canada...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
Campaign
H score39
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
**GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
CampaignAbout this happening: **GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...
Timeline
-
28.10.2025 18:12 1 articles · 7mo ago
BlueNoroff-linked GhostCall and GhostHire disclosure
Initial DisclosureKaspersky says North Korea-linked BlueNoroff, a Lazarus Group sub-cluster also known as APT38, is running the GhostCall and GhostHire campaigns as part of SnatchCrypto, which has been underway since at least 2017. The operations target Web3 and blockchain victims through Telegram contact, fake Zoom and Microsoft Teams phishing pages, and booby-trapped GitHub projects, with activity reported across macOS and Windows targets in multiple countries.
Show sources
- Researchers Expose GhostCall and GhostHire: BlueNoroff's New Malware Chains — thehackernews.com — 28.10.2025 18:12