← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
BlueNoroff Group cryptoaffair: "ghost" investments and bogus job offers
WHITE BlueNoroff PetrP.73 2025-11-12 Modified: 2025-12-12
188
IOCs
HIGH VOLUME
The BlueNoroff Group, known by various aliases including APT38 and TA444, has been actively targeting blockchain developers and Web3 executives through its operational campaigns, notably SnatchCrypto. A significant part of this operation involves the GhostCall and GhostHire campaigns, which exploit social engineering tactics. The GhostCall campaign, operational since mid-2023, employs deceptive video conferencing to recruit victims. Attackers masquerade as venture capitalists via platforms like Telegram, using compromised accounts of legitimate entrepreneurs. They initiate contact with potential targets and arrange meetings through spoofed Zoom links or direct messages, utilizing disguised phishing URLs. The attackers leverage multi-stage execution chains; the infection typically begins with the DownTroy malware, which downloads various self-contained executables, including keyloggers and data stealers like CosmicDoor and RooTroy.
apple macosaptbluenoroffchatgptgithublinuxmicrosoft windowstelegramwindowsapplescriptzoomcosmicdoordowntroyrootroygillyinjectorbase64macosrustpythonswiftpowershellpathmachosapphiredownexecexodustargetagentinstallerdittoeffectinstallpremiumzerokonnithemidalsassexodus web3lazarushuntressnimc httpsgoogie llcteamsclutchmicrosoft teamsdowntroy v1safariupdate
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (57 / 188 total)
All URL FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 00dd47af3db45548d2722fe8a4489508 2025-11-12
FileHash-MD5 01d3ed1c228f09d8e56bfbc5f5622a6c 2025-11-12
FileHash-MD5 0af11f610da1f691e43173d44643283f 2025-11-12
FileHash-MD5 0ca37675d75af0e7def0025cd564d6c5 2025-11-12
FileHash-MD5 10cd1ef394bc2a2d8d8f2558b73ac7b8 2025-11-12
FileHash-MD5 1243968876262c3ad4250e1371447b23 2025-11-12
FileHash-MD5 1653d75d579872fadec1f22cf7fee3c0 2025-11-12
FileHash-MD5 17baae144d383e4dc32f1bf69700e587 2025-11-12
FileHash-MD5 19a7e16332a6860b65e6944f1f3c5001 2025-11-12
FileHash-MD5 1ee10fa01587cec51f455ceec779a160 2025-11-12
FileHash-MD5 261a409946b6b4d9ce706242a76134e3 2025-11-12
FileHash-MD5 2b499eb3865a7ef17264d15252b7f73e 2025-11-12
FileHash-MD5 2c42253ebf9a743814b9b16a89522bef 2025-11-12
FileHash-MD5 31b88dd319af8e4b8a96fc9732ebc708 2025-11-12
FileHash-MD5 358c2969041c8be74ce478edb2ffcd19 2025-11-12
FileHash-MD5 389447013870120775556bb4519dba97 2025-11-12
FileHash-MD5 38c8d80dd32d00e9c9440a498f7dd739 2025-11-12
FileHash-MD5 3bbe4dfe3134c8a7928d10c948e20bee 2025-11-12
FileHash-MD5 50f341b24cb75f37d042d1e5f9e3e5aa 2025-11-12
FileHash-MD5 529fe6eff1cf452680976087e2250c02 2025-11-12
FileHash-MD5 5ad40a5fd18a1b57b69c44bc2963dc6b 2025-11-12
FileHash-MD5 5cb4f0084f3c25e640952753ed5b25d0 2025-11-12
FileHash-MD5 60bfe4f378e9f5a84183ac505a032228 2025-11-12
FileHash-MD5 6348b49f3499d760797247b94385fda3 2025-11-12
FileHash-MD5 6422795a6df10c45c1006f92d686ee7e 2025-11-12
FileHash-MD5 6aa93664b4852cb5bad84ba1a187f645 2025-11-12
FileHash-MD5 7168ce5c6e5545a5b389db09c90038da 2025-11-12
FileHash-MD5 73d26eb56e5a3426884733c104c3f625 2025-11-12
FileHash-MD5 7581854ff6c890684823f3aed03c210f 2025-11-12
FileHash-MD5 76ace3a6892c25512b17ed42ac2ebd05 2025-11-12
FileHash-MD5 7e50c3f301dd045eb189ba1644ded155 2025-11-12
FileHash-MD5 7f94ed2d5f566c12de5ebe4b5e3d8aa3 2025-11-12
FileHash-MD5 8006efb8dd703073197e5a27682b35bf 2025-11-12
FileHash-MD5 8f8942cd14f646f59729f83cbd4c357b 2025-11-12
FileHash-MD5 931cec3c80c78d233e3602a042a2e71b 2025-11-12
FileHash-MD5 9551b4af789b2db563f9452eaf46b6aa 2025-11-12
FileHash-MD5 963f473f1734d8b3fbb8c9a227c06d07 2025-11-12
FileHash-MD5 a070b77c5028d7a5d2895f1c9d35016f 2025-11-12
FileHash-MD5 a0eb7e480752d494709c63aa35ccf36c 2025-11-12
FileHash-MD5 a26f2b97ca4e2b4b5d58933900f02131 2025-11-12
FileHash-MD5 a6ce961f487b4cbdfe68d0a249647c48 2025-11-12
FileHash-MD5 ab1e8693931f8c694247d96cf5a85197 2025-11-12
FileHash-MD5 b2e9a6412fd7c068a5d7c38d0afd946f 2025-11-12
FileHash-MD5 b567bfdaac131a2d8a23ad8fd450a31d 2025-11-12
FileHash-MD5 c42c7a2ea1c2f00dddb0cc4c8bfb5bcf 2025-11-12
FileHash-MD5 c446682f33641cff21083ac2ce477dbe 2025-11-12
FileHash-MD5 c6f0c8d41b9ad4f079161548d2435d80 2025-11-12
FileHash-MD5 d63805e89053716b6ab93ce6decf8450 2025-11-12
FileHash-MD5 d8529855fab4b4aa6c2b34449cb3b9fb 2025-11-12
FileHash-MD5 de93e85199240de761a8ba0a56f0088d 2025-11-12
FileHash-MD5 e33f942cf1479ca8530a916868bad954 2025-11-12
FileHash-MD5 e8680d17fba6425e4a9bb552fb8db2b1 2025-11-12
FileHash-MD5 e9fdd703e60b31eb803b1b59985cabec 2025-11-12
FileHash-MD5 eda0525c078f5a216a977bc64e86160a 2025-11-12
FileHash-MD5 f1bad0efbd3bd5a4202fe740756f977a 2025-11-12
FileHash-MD5 f1d2af27b13cd3424556b18dfd3cf83f 2025-11-12
FileHash-MD5 f8bb2528bf35f8c11fbc4369e68c4038 2025-11-12
References (1)
↗ https://securelist.ru/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/113883/