"One Video Interview and They Take Everything": North Korean Hacking Tactics Grow More Sophisticated

North Korea's hacking organizations are reportedly using fake video conferences and job interviews to seize control of entire digital environments. Analysts say they are now combining Generative Artificial Intelligence (Generative AI) with these attacks, further increasing their success rate and raising the overall threat level.
According to the cybersecurity industry on the 17th, Kaspersky released an analysis report on the GhostCall and Ghost Hire campaigns, which are linked to BlueNoroff's SnatchCrypto operation targeting virtual assets.
The report found that BlueNoroff has expanded its attacks beyond simply targeting virtual asset wallets. The group now aims to take over the entire digital work environment, including email, messengers, cloud services, and artificial intelligence service accounts. In particular, it has been focusing on people working in Web3 and the blockchain sector.
The GhostCall campaign uses fake video conferences. Attackers pose as investors or entrepreneurs via Telegram and send forged video meeting links. When a victim joins, they are shown a recording of a previous victim, making them believe it is a live meeting, and are then lured into installing malware.
During this process, the attackers display familiar prompts such as "Zoom SDK update" to lower the victim's guard. Once clicked, the prompt downloads malware tailored to the victim's operating system. In macOS environments, the attack can even bypass Transparency, Consent, and Control (TCC), the core security system that governs access to personal data, to steal camera, microphone, and document access permissions.
The Ghost Hire campaign exploits recruitment processes. Attackers impersonate hiring managers at global financial firms and approach developers, then trick them into running a project that contains malicious code under the guise of a coding test. They also apply psychological pressure by demanding submissions within 30 minutes, pushing victims to execute the files without proper verification.
Once a victim is exposed to such an attack, the damage goes far beyond simple account theft. Hackers can gain access not only to virtual asset wallets but also to email, Telegram, cloud services, and tools such as ChatGPT (Generative Pre-trained Transformer), effectively taking control of the victim's entire digital work environment.
The stolen information is used not only to directly steal cryptocurrency but also to spread further attacks through the victim's accounts. In some cases, a victim's video conference footage is reused to deceive new targets, and compromised developer accounts and Application Programming Interface (API) keys could potentially be leveraged to infiltrate internal corporate systems.
Victims of the GhostCall campaign have been identified since 2023 in multiple countries, including Japan, Italy, France, Singapore, the Republic of Türkiye, Spain, Sweden, the Republic of India, and the Hong Kong Special Administrative Region of China. Victims of the Ghost Hire campaign have been identified this year in Japan and Australia. Most of those targeted are executives at Web3 and blockchain tech companies and venture capital firm executives in the Asia-Pacific (APAC) region, particularly in Singapore and Hong Kong.
Lee Hyo-eun, Head of Kaspersky Korea, warned, "If you work in the Web3 or blockchain industry, you should be extremely cautious about sudden investment or job offers via Telegram, especially when you are asked to run code within a very short time frame."
kaya@fnnews.com Choi Hye-rim Reporter