Crypto wasted: BlueNoroff’s ghost mirage of funding and jobs

Oct. 28, 2025, 10:56 a.m.

Description

BlueNoroff, a financially motivated threat actor, has been conducting two sophisticated campaigns dubbed GhostCall and GhostHire. GhostCall targets macOS devices of tech executives and venture capitalists through fake Zoom-like meetings, while GhostHire targets Web3 developers through fake recruitment processes. Both campaigns utilize various malware chains, including ZoomClutch, DownTroy, CosmicDoor, RooTroy, and SilentSiphon. The attacks involve social engineering, AI-enhanced images, and multi-stage malware deployment across Windows, macOS, and Linux systems. BlueNoroff has expanded its focus beyond cryptocurrency theft to comprehensive data acquisition, enabling supply chain attacks and leveraging established trust relationships for broader impact.

Tags
cryptocurrency
2025-10-28
zoomclutch
rootroy
sysphon
silentsiphon
sneakmain
cosmicdoor

Date

  • Created: Oct. 28, 2025, 3:41 a.m.
  • Published: Oct. 28, 2025, 3:41 a.m.
  • Modified: Oct. 28, 2025, 10:56 a.m.

Indicators

  • ebaaf177e746f9f0e16c906f1ffea95af771252b07136ca6a13995508fce34aa
  • d5f41ea8dbf1ed159a0a4cfce563a917c1df32bb8ac8d321b4d3dcf67271dd25
  • bd2aa5805b76f272b43a595b3d73e29d0fc4647e15e87950b8f904ea26dcf053
  • bcef50a375c8b4edbe7c80e220c1bb52f572ce379768fec3527d31c1d51138fc
  • b494a0ae421afe170f6cb9de2c1193a78fbe16f627f85139676afc5d9bfe93a2
  • b3cc15c1033de79024f9cf3cd6a6a7a9b7e54a1a57d3156036f5c05f541694b7
  • a6c1a7ce43b029a1ef4ae69b26f745440ecce8368c89f11ac999d4ed04a31572
  • 7ffc83877389ebb86d201749d73b5e3706490070015522805696c9b94fa95ccb
  • 74cbec210ba601caeb063d44e510fc012075b65a0482d3fa2d2d08837649356a
  • 71b743c529f0b27735f7774a0903cb908edc93423b60fe9be49a3729982d0e8d
  • 65b98ddc821212d13e0e64265353725f0adf6bcf3f4129c18d9d6327b8a69e11
  • 5f4063e3a5583e62ddec2f84ca88eb97fbcfbee31d9269742ab438f441f0cd58
  • 5b77f83ecefa0e32ba922f61c9efff7f755ba51a010db844ca7e8ad3db28650a
  • 4451ee8bc53ea7c148d8348bc7b82aca9977bdd31c0156dfe25c4a879a1d2190
  • 41660a23e5db77597994e17f9f773d02976f767276faf3b5bac0510807a9a36f
  • 3315e5a4590e430550a4d85d0caf5f521d421a2966b23416fcfc275a5fd2629a
  • 0d1e3a9e6f3211b7e3072d736e9a2e6be363fc7c100b90bf7e1e9bee121e30df
  • c4db903322d17c8cbf1d1db55124854c0b070d6ece54162b6a4d06df24c572df
  • ad01beb19f5b8c7155ee5415781761d4c7d85a31bb90b618c3f5d9f737f2d320
  • 3dd226d0b700f33974f409142defb62a8cd172ae5f2eb9beb7f5750eb1702e2a
  • 14e9bb6df4906691fc7754cf7906c3470a54475c663bd2514446afad41fa1527
  • https://writeup.live/test
  • https://urgent-update.cloud/uploadfiles
  • https://support.ms-live.us/update/02583235891M49FYUN57
  • https://support.ms-live.us/301631/check
  • https://support.ms-live.us/register/22989524464UcX2b5w52
  • https://safeupload.online/uploadfiles
  • https://metamask.awaitingfor.site/update
  • https://safeup.store/test
  • https://flashserve.store/update
  • https://filedrive.online/uploadfiles
  • https://file-server.store/update
  • https://download.datatabletemplate.xyz/account/register/id=8118555902061899&secret=QwLoOZSDakFh.
  • https://dataupload.store/uploadfiles
  • https://cloud-server.store/update
  • https://chkactive.online/update
  • https://bots.autoupdate.online:8080/test
  • https://api.flashstore.sbs/uploadfiles
  • https://api.flashstore.sbs/test
  • https://api.clearit.sbs/uploadfiles
  • https://api.clearit.sbs/test
  • http://web071zoom.us/fix/audio/4542828056
  • http://web071zoom.us/fix/audio-tr/7217417464
  • http://web071zoom.us/fix/audio-fv/7217417464
  • http://web.commoncome.online:8080/client
  • http://signsafe.xyz/update
  • http://second.systemupdate.cloud/client
  • http://firstfromsep.online/client
  • http://first.longlastfor.online:8080/client
  • web.commoncome.online
  • system.updatecheck.store
  • support.video-meeting.online
  • support.ms-live.us
  • second.systemupdate.cloud
  • second.awaitingfor.online
  • root.security-update.xyz
  • root.chkstate.online
  • pre.alwayswait.site
  • first.system-update.xyz
  • first.longlastfor.online
  • download.face-online.world
  • download.datatabletemplate.xyz
  • check.datatabletemplate.shop
  • botsc.autoupdate.xyz
  • bots.autoupdate.online
  • backdoor.python.agent.br
  • api.flashstore.sbs
  • api.clearit.sbs
  • web071zoom.us
  • signsafe.site
  • signsafe.xyz
  • secondshop.store
  • secondshop.online
  • real-update.xyz
  • instant-update.online
  • flashserve.store
  • filedrive.online
  • file-server.store
  • cloud-server.store
  • chkactive.online
  • image-support.xyz
  • writeup.live
  • safeup.store
  • dataupload.store
  • metamask.awaitingfor.site
  • safeupload.online
  • safefor.xyz
  • readysafe.xyz
  • firstfromsep.online
  • swissborg.blog
Download all indicators here!

Attack Patterns

  • SilentSiphon
  • SysPhon
  • SneakMain
  • RealTimeTroy
  • RooTroy
  • CosmicDoor
  • DownTroy
  • TeamsClutch
  • ZoomClutch
  • APT38

Additional Informations

  • Technology
  • Finance
  • British Indian Ocean Territory
  • Sweden
  • Hong Kong
  • Singapore
  • India
  • Australia
  • Spain
  • Italy
  • Japan
  • France