Researchers noted that the new campaigns highlight BlueNoroff’s shift toward modular malware, cross-platform threats, and highly tailored targeting of the blockchain space. The malware samples were found written in multiple programming languages, including Go, Rust, Nim, and AppleScript, reflecting an added technical layer in the group’s operations.
Compromise through fake “investor meetings”
In the GhostCall campaign, BlueNoroff poses as venture capitalists or startup founders seeking to “invest” in blockchain projects. The attackers set up fake video meetings via platforms like Zoom or Teams, luring victims into a false sense of legitimacy.
During or after these calls, the victim is asked to install a supposed “update” or “plugin” to improve connection quality. The file, of course, is malicious–triggering a chain of implants such as DownTroy, CosmicDoor, and Rootroy, each performing specialized tasks like credential theft, keylogging, or persistence.