Fake recruiters with real malware: The GhostHire operation takes a different approach, targeting Web3 developers through fake job offers and recruitment tests. Here BlueNoroff sets up fake developer tasks, often hosted on GitHub or shared via Telegram bots. “Based on historical attack cases of this campaign, we assess with medium confidence that this attack flow involving Telegram and GitHub represents the latest phase, which started no later than April this year,” researchers said.Victims are told to complete a “coding challenge” for a potential employer, only to receive a ZIP archive or Git repository containing the malware. Once executed, GhostHire deploys system reconnaissance modules that determine the victim’s OSmacOS or Windowsand then selectively downloads the right payload.These payloads share the same modular DNA as GhostCall’s tools, designed to escalate privileges, capture credentials, and open backdoors. Researchers noted that the social engineering component is particularly convincing, with attackers sometimes maintaining week-long correspondence to earn the victim’s trust before deploying the payload. Recently, BlueNoroff and its parent, Lazarus Group, have expanded their operations with the $1.5 billion Bybit heist, npm-supply-chain attacks, and Mac-focused malware targeting blockchain developers.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4081001/bluenoroff-reemerges-with-new-campaigns-for-crypto-theft-and-espionage.html
