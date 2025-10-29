North Korean hacking operation BlueNoroff , also known as APT38, Sapphire Sleet, CryptoCore, and CageyChameleon, has targeted multiple sectors in twin attack campaigns part of the SnatchCrypto operation that has been ongoing for the last eight years, The Hacker News reports.

Tech firm and venture capital company executives in Japan, Italy, France, Sweden, Spain, Turkey, India, Hong Kong, and Singapore had their macOS systems compromised in BlueNoroff's GhostCall campaign, according to an analysis from Kaspersky. Attackers exploited Telegram to invite executives to investment-related meetings that redirected to fraudulent Zoom pages, which urged the download of a malicious SDK, resulting in the retrieval of an illicit AppleScript file.

Such a file fetches the DownTroy AppleScript, which deploys CosmicDoor, ZoomClutch or TeamsClutch, RooTroy, RealTimeTroy, and four other payloads. Meanwhile, BlueNoroff primarily targeted Web3 developers and the blockchain industry in the GhostHire campaign, which involved distributing a nefarious ZIP file containing DownTroy via Telegram.

Windows machines were then infected with a Go-based CosmicDoor, RealTimeTroy, and RooTroy payloads, as well as the Rust-based Bof loader. Generative artificial intelligence was noted by researchers to have significantly sped up BlueNoroff's development of macOS- and Windows-targeting malware.