A new wave of cyber-espionage operations linked to North Korea’s Lazarus Group has merged generative AI tools, fake recruitment scams, and multi-stage malware to breach systems across the globe. The campaigns — dubbed GhostCall and GhostHire — represent one of the most sophisticated cross-platform attack ecosystems yet observed, according to new research from Kaspersky.
North Korea’s Expanding Digital Frontline
Threat actors tied to North Korea have been observed targeting Web3, blockchain, and tech-sector firms through twin operations named GhostCall and GhostHire. Both are traced to BlueNoroff, a sub-cluster of the Lazarus Group known for long-running financial espionage missions under the codename SnatchCrypto.
The campaigns, active since mid-2023, have infected systems across Japan, France, India, Singapore, and the United States. Researchers say they mark a clear evolution in Lazarus’s strategy — from opportunistic cryptocurrency theft to targeted infiltration of corporate ecosystems.
“GhostCall heavily targets macOS devices of executives at tech companies and venture-capital firms by approaching them through Telegram and luring them into fake investment meetings hosted on Zoom,” said Kaspersky researchers Sojun Ryu and Omar Amin.
The GhostHire Deception
The GhostHire campaign masquerades as legitimate recruitment. Attackers initiate contact through Telegram or LinkedIn, posing as headhunters for financial institutions. The communication chain eventually directs victims to a Telegram bot mimicking a corporate assessment portal — complete with a forged company logo and purported technical assignments.
Victims are sent a ZIP file containing a coding test with a tight 30-minute deadline. That urgency, researchers note, pushes developers to execute the malicious content without scrutiny. Hidden within the project is a booby-trapped Go module hosted on GitHub, designed to detect the victim’s operating system and deploy an appropriate next-stage payload — DownTroy, RealTimeTroy, or RooTroy, depending on whether the target uses Windows, Linux, or macOS.
Once installed, these payloads can harvest data, launch shellcode loaders, and communicate with external servers through encrypted channels. The modular nature of the attack, Kaspersky said, “enables sustained access across different environments with minimal operator oversight.”
GhostCall and the Rise of AI-Enabled Intrusions
If GhostHire focuses on recruitment fraud, GhostCall turns collaboration tools into attack vectors. Victims are invited to join a fake Zoom or Microsoft Teams meeting. Within seconds, they are prompted to download a “security update” SDK — a decoy that installs the DownTroy AppleScript malware.
This AppleScript can bypass macOS transparency controls and install additional payloads such as ZoomClutch and TeamsClutch, which masquerade as legitimate conferencing tools while stealing system passwords.
Kaspersky’s report highlights the use of generative AI to streamline the creation of phishing content, fake recruiter profiles, and even deepfake-style meeting visuals.
“The use of generative AI has significantly accelerated this process, enabling more efficient malware development with reduced operational overhead,” the researchers noted.
A Unified Command-and-Control Web
At the heart of these campaigns lies a unified infrastructure linking GhostCall, GhostHire, and earlier Lazarus efforts like RustBucket and KandyKorn. Command servers coordinate payloads written in multiple languages — Go, Nim, Rust, and C++ — distributed across GitHub, Telegram bots, and cloud platforms.
One advanced stealer suite, SilentSiphon, is engineered to extract credentials and configuration data from services including GitHub, AWS, Google Cloud, Oracle Cloud, Docker, Kubernetes, and even OpenAI.
Experts believe this blending of automation, social engineering, and AI-generated content reflects the next frontier of state-backed cyber operations — one where human deception and machine intelligence converge to undermine digital trust at scale.
