Crypto Wasted: BlueNoroff’s Ghost Mirage of Funding and Jobs

    Thursday, October 30, 2025 In: Threat Research Print

    Date: 10/30/2025

    Severity: Medium

    Summary

    BlueNoroff (also known as APT38, Sapphire Sleet, and TA444) — a financially motivated North Korean threat group — continues its SnatchCrypto operation, targeting blockchain developers and Web3 executives. The group has evolved its tactics with new infiltration methods and malware families. Recent campaigns, GhostCall and GhostHire, use fake investment and job offers to trick victims in the crypto and blockchain sector, aiming to steal digital assets and sensitive credentials.

    Indicators of Compromise (IOC) List

    URLs/Domains

    system.updatecheck.store

    dataupload.store

    safeupload.online

    filedrive.online

    safefor.xyz

    readysafe.xyz

    instant-update.online

    signsafe.xyz

    download.datatabletemplate.xyz

    check.datatabletemplate.shop

    download.face-online.world

    root.security-update.xyz

    real-update.xyz

    root.chkstate.online

    secondshop.online

    signsafe.site

    secondshop.store

    botsc.autoupdate.xyz

    first.system-update.xyz

    image-support.xyz

    pre.alwayswait.site

    writeup.live

    chkactive.online

    cloud-server.store

    file-server.store

    firstfromsep.online

    flashserve.store

    safeup.store

    swissborg.blog

    web071zoom.us

    http://web071zoom.us/fix/audio/4542828056

    http://web071zoom.us/fix/audio-fv/7217417464

    http://web071zoom.us/fix/audio-tr/7217417464

    https://support.ms-live.us/301631/check

    https://support.ms-live.us/register/22989524464UcX2b5w52

    https://support.ms-live.us/update/02583235891M49FYUN57

    https://safeupload.online/uploadfiles

    https://api.clearit.sbs/uploadfiles

    https://api.flashstore.sbs/uploadfiles

    https://filedrive.online/uploadfiles

    https://bots.autoupdate.online:8080/test

    https://writeup.live/test

    https://safeup.store/test

    https://api.clearit.sbs/test

    https://api.flashstore.sbs/test

    ws://web.commoncome.online:8080/client

    ws://first.longlastfor.online:8080/client

    wss://firstfromsep.online/client

    second.systemupdate.cloud

    second.awaitingfor.online

    https://metamask.awaitingfor.site/update

    https://urgent-update.cloud/uploadfiles

    https://dataupload.store/uploadfiles

    https://filedrive.online/uploadfiles

    https://chkactive.online/update

    https://file-server.store/update

    https://cloud-server.store/update

    https://flashserve.store/update

    Hash

    e33f942cf1479ca8530a916868bad954

    963f473f1734d8b3fbb8c9a227c06d07

    60bfe4f378e9f5a84183ac505a032228

    7f94ed2d5f566c12de5ebe4b5e3d8aa3

    389447013870120775556bb4519dba97

    50f341b24cb75f37d042d1e5f9e3e5aa

    a26f2b97ca4e2b4b5d58933900f02131

    6422795a6df10c45c1006f92d686ee7e

    931cec3c80c78d233e3602a042a2e71b

    c42c7a2ea1c2f00dddb0cc4c8bfb5bcf

    9551b4af789b2db563f9452eaf46b6aa

    76ace3a6892c25512b17ed42ac2ebd05

    19a7e16332a6860b65e6944f1f3c5001

    c446682f33641cff21083ac2ce477dbe

    e8680d17fba6425e4a9bb552fb8db2b1

    10cd1ef394bc2a2d8d8f2558b73ac7b8

    a070b77c5028d7a5d2895f1c9d35016f

    38c8d80dd32d00e9c9440a498f7dd739

    7168ce5c6e5545a5b389db09c90038da

    261a409946b6b4d9ce706242a76134e3

    31b88dd319af8e4b8a96fc9732ebc708

    1ee10fa01587cec51f455ceec779a160

    3bbe4dfe3134c8a7928d10c948e20bee

    7581854ff6c890684823f3aed03c210f

    01d3ed1c228f09d8e56bfbc5f5622a6c

    5cb4f0084f3c25e640952753ed5b25d0

    1243968876262c3ad4250e1371447b23

    5ad40a5fd18a1b57b69c44bc2963dc6b

    6348b49f3499d760797247b94385fda3

    17baae144d383e4dc32f1bf69700e587

    8f8942cd14f646f59729f83cbd4c357b

    0af11f610da1f691e43173d44643283f

    7e50c3f301dd045eb189ba1644ded155

    0ca37675d75af0e7def0025cd564d6c5

    d63805e89053716b6ab93ce6decf8450

    e9fdd703e60b31eb803b1b59985cabec

    f1d2af27b13cd3424556b18dfd3cf83f

    b567bfdaac131a2d8a23ad8fd450a31d

    00dd47af3db45548d2722fe8a4489508

    6aa93664b4852cb5bad84ba1a187f645

    d8529855fab4b4aa6c2b34449cb3b9fb

    eda0525c078f5a216a977bc64e86160a

    ab1e8693931f8c694247d96cf5a85197

    1653d75d579872fadec1f22cf7fee3c0

    529fe6eff1cf452680976087e2250c02

    a0eb7e480752d494709c63aa35ccf36c

    73d26eb56e5a3426884733c104c3f625

    358c2969041c8be74ce478edb2ffcd19

    2c42253ebf9a743814b9b16a89522bef

    f1bad0efbd3bd5a4202fe740756f977a

    a6ce961f487b4cbdfe68d0a249647c48

    8006efb8dd703073197e5a27682b35bf

    c6f0c8d41b9ad4f079161548d2435d80

    f8bb2528bf35f8c11fbc4369e68c4038

    b2e9a6412fd7c068a5d7c38d0afd946f

    de93e85199240de761a8ba0a56f0088d

    0d1e3a9e6f3211b7e3072d736e9a2e6be363fc7c100b90bf7e1e9bee121e30df

    14e9bb6df4906691fc7754cf7906c3470a54475c663bd2514446afad41fa1527

    3315e5a4590e430550a4d85d0caf5f521d421a2966b23416fcfc275a5fd2629a

    3dd226d0b700f33974f409142defb62a8cd172ae5f2eb9beb7f5750eb1702e2a

    41660a23e5db77597994e17f9f773d02976f767276faf3b5bac0510807a9a36f

    4451ee8bc53ea7c148d8348bc7b82aca9977bdd31c0156dfe25c4a879a1d2190

    5b77f83ecefa0e32ba922f61c9efff7f755ba51a010db844ca7e8ad3db28650a

    5f4063e3a5583e62ddec2f84ca88eb97fbcfbee31d9269742ab438f441f0cd58

    65b98ddc821212d13e0e64265353725f0adf6bcf3f4129c18d9d6327b8a69e11

    71b743c529f0b27735f7774a0903cb908edc93423b60fe9be49a3729982d0e8d

    74cbec210ba601caeb063d44e510fc012075b65a0482d3fa2d2d08837649356a

    7ffc83877389ebb86d201749d73b5e3706490070015522805696c9b94fa95ccb

    a6c1a7ce43b029a1ef4ae69b26f745440ecce8368c89f11ac999d4ed04a31572

    ad01beb19f5b8c7155ee5415781761d4c7d85a31bb90b618c3f5d9f737f2d320

    b3cc15c1033de79024f9cf3cd6a6a7a9b7e54a1a57d3156036f5c05f541694b7

    b494a0ae421afe170f6cb9de2c1193a78fbe16f627f85139676afc5d9bfe93a2

    bcef50a375c8b4edbe7c80e220c1bb52f572ce379768fec3527d31c1d51138fc

    bd2aa5805b76f272b43a595b3d73e29d0fc4647e15e87950b8f904ea26dcf053

    c4db903322d17c8cbf1d1db55124854c0b070d6ece54162b6a4d06df24c572df

    d5f41ea8dbf1ed159a0a4cfce563a917c1df32bb8ac8d321b4d3dcf67271dd25

    ebaaf177e746f9f0e16c906f1ffea95af771252b07136ca6a13995508fce34aa

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "first.system-update.xyz" or siteurl like "first.system-update.xyz" or url like "first.system-update.xyz" or domainname like "https://filedrive.online/uploadfiles" or siteurl like "https://filedrive.online/uploadfiles" or url like "https://filedrive.online/uploadfiles" or domainname like "check.datatabletemplate.shop" or siteurl like "check.datatabletemplate.shop" or url like "check.datatabletemplate.shop" or domainname like "writeup.live" or siteurl like "writeup.live" or url like "writeup.live" or domainname like "https://support.ms-live.us/301631/check" or siteurl like "https://support.ms-live.us/301631/check" or url like "https://support.ms-live.us/301631/check" or domainname like "https://metamask.awaitingfor.site/update" or siteurl like "https://metamask.awaitingfor.site/update" or url like "https://metamask.awaitingfor.site/update" or domainname like "download.face-online.world" or siteurl like "download.face-online.world" or url like "download.face-online.world" or domainname like "swissborg.blog" or siteurl like "swissborg.blog" or url like "swissborg.blog" or domainname like "real-update.xyz" or siteurl like "real-update.xyz" or url like "real-update.xyz" or domainname like "web071zoom.us" or siteurl like "web071zoom.us" or url like "web071zoom.us" or domainname like "safefor.xyz" or siteurl like "safefor.xyz" or url like "safefor.xyz" or domainname like "https://api.flashstore.sbs/uploadfiles" or siteurl like "https://api.flashstore.sbs/uploadfiles" or url like "https://api.flashstore.sbs/uploadfiles" or domainname like "https://support.ms-live.us/update/02583235891M49FYUN57" or siteurl like "https://support.ms-live.us/update/02583235891M49FYUN57" or url like "https://support.ms-live.us/update/02583235891M49FYUN57" or domainname like "https://cloud-server.store/update" or siteurl like "https://cloud-server.store/update" or url like "https://cloud-server.store/update" or domainname like "readysafe.xyz" or siteurl like "readysafe.xyz" or url like "readysafe.xyz" or domainname like "https://flashserve.store/update" or siteurl like "https://flashserve.store/update" or url like "https://flashserve.store/update" or domainname like "system.updatecheck.store" or siteurl like "system.updatecheck.store" or url like "system.updatecheck.store" or domainname like "second.awaitingfor.online" or siteurl like "second.awaitingfor.online" or url like "second.awaitingfor.online" or domainname like "https://api.clearit.sbs/uploadfiles" or siteurl like "https://api.clearit.sbs/uploadfiles" or url like "https://api.clearit.sbs/uploadfiles" or domainname like "dataupload.store" or siteurl like "dataupload.store" or url like "dataupload.store" or domainname like "https://file-server.store/update" or siteurl like "https://file-server.store/update" or url like "https://file-server.store/update" or domainname like "http://web071zoom.us/fix/audio-tr/7217417464" or siteurl like "http://web071zoom.us/fix/audio-tr/7217417464" or url like "http://web071zoom.us/fix/audio-tr/7217417464" or domainname like "file-server.store" or siteurl like "file-server.store" or url like "file-server.store" or domainname like "cloud-server.store" or siteurl like "cloud-server.store" or url like "cloud-server.store" or domainname like "https://api.clearit.sbs/test" or siteurl like "https://api.clearit.sbs/test" or url like "https://api.clearit.sbs/test" or domainname like "root.security-update.xyz" or siteurl like "root.security-update.xyz" or url like "root.security-update.xyz"

    Detection Query 2 :

    domainname like "https://bots.autoupdate.online:8080/test" or siteurl like "https://bots.autoupdate.online:8080/test" or url like "https://bots.autoupdate.online:8080/test" or domainname like "https://urgent-update.cloud/uploadfiles" or siteurl like "https://urgent-update.cloud/uploadfiles" or url like "https://urgent-update.cloud/uploadfiles" or domainname like "flashserve.store" or siteurl like "flashserve.store" or url like "flashserve.store" or domainname like "botsc.autoupdate.xyz" or siteurl like "botsc.autoupdate.xyz" or url like "botsc.autoupdate.xyz" or domainname like "instant-update.online" or siteurl like "instant-update.online" or url like "instant-update.online" or domainname like "https://support.ms-live.us/register/22989524464UcX2b5w52" or siteurl like "https://support.ms-live.us/register/22989524464UcX2b5w52" or url like "https://support.ms-live.us/register/22989524464UcX2b5w52" or domainname like "https://chkactive.online/update" or siteurl like "https://chkactive.online/update" or url like "https://chkactive.online/update" or domainname like "https://api.flashstore.sbs/test" or siteurl like "https://api.flashstore.sbs/test" or url like "https://api.flashstore.sbs/test" or domainname like "safeup.store" or siteurl like "safeup.store" or url like "safeup.store" or domainname like "https://dataupload.store/uploadfiles" or siteurl like "https://dataupload.store/uploadfiles" or url like "https://dataupload.store/uploadfiles" or domainname like "chkactive.online" or siteurl like "chkactive.online" or url like "chkactive.online" or domainname like "signsafe.site" or siteurl like "signsafe.site" or url like "signsafe.site" or domainname like "signsafe.xyz" or siteurl like "signsafe.xyz" or url like "signsafe.xyz" or domainname like "secondshop.store" or siteurl like "secondshop.store" or url like "secondshop.store" or domainname like "safeupload.online" or siteurl like "safeupload.online" or url like "safeupload.online" or domainname like "filedrive.online" or siteurl like "filedrive.online" or url like "filedrive.online" or domainname like "download.datatabletemplate.xyz" or siteurl like "download.datatabletemplate.xyz" or url like "download.datatabletemplate.xyz" or domainname like "root.chkstate.online" or siteurl like "root.chkstate.online" or url like "root.chkstate.online" or domainname like "secondshop.online" or siteurl like "secondshop.online" or url like "secondshop.online" or domainname like "image-support.xyz" or siteurl like "image-support.xyz" or url like "image-support.xyz" or domainname like "pre.alwayswait.site" or siteurl like "pre.alwayswait.site" or url like "pre.alwayswait.site" or domainname like "firstfromsep.online" or siteurl like "firstfromsep.online" or url like "firstfromsep.online" or domainname like "http://web071zoom.us/fix/audio/4542828056" or siteurl like "http://web071zoom.us/fix/audio/4542828056" or url like "http://web071zoom.us/fix/audio/4542828056" or domainname like "http://web071zoom.us/fix/audio-fv/7217417464" or siteurl like "http://web071zoom.us/fix/audio-fv/7217417464" or url like "http://web071zoom.us/fix/audio-fv/7217417464" or domainname like "https://safeupload.online/uploadfiles" or siteurl like "https://safeupload.online/uploadfiles" or url like "https://safeupload.online/uploadfiles" or domainname like "https://writeup.live/test" or siteurl like "https://writeup.live/test" or url like "https://writeup.live/test" or domainname like "https://safeup.store/test" or siteurl like "https://safeup.store/test" or url like "https://safeup.store/test" or domainname like "wss://firstfromsep.online/client" or siteurl like "wss://firstfromsep.online/client" or url like "wss://firstfromsep.online/client" or domainname like "second.systemupdate.cloud" or siteurl like "second.systemupdate.cloud" or url like "second.systemupdate.cloud" or domainname like "https://filedrive.online/uploadfiles" or siteurl like "https://filedrive.online/uploadfiles" or url like "https://filedrive.online/uploadfiles" or domainname like "ws://web.commoncome.online:8080/client" or siteurl like "ws://web.commoncome.online:8080/client" or url like "ws://web.commoncome.online:8080/client" or domainname like "ws://first.longlastfor.online:8080/client" or siteurl like "ws://first.longlastfor.online:8080/client" or url like "ws://first.longlastfor.online:8080/client"

    Detection Query 3 :

    md5hash IN ("5cb4f0084f3c25e640952753ed5b25d0","01d3ed1c228f09d8e56bfbc5f5622a6c","c42c7a2ea1c2f00dddb0cc4c8bfb5bcf","1243968876262c3ad4250e1371447b23","6422795a6df10c45c1006f92d686ee7e","529fe6eff1cf452680976087e2250c02","963f473f1734d8b3fbb8c9a227c06d07","5ad40a5fd18a1b57b69c44bc2963dc6b","eda0525c078f5a216a977bc64e86160a","e33f942cf1479ca8530a916868bad954","c446682f33641cff21083ac2ce477dbe","0af11f610da1f691e43173d44643283f","ab1e8693931f8c694247d96cf5a85197","e8680d17fba6425e4a9bb552fb8db2b1","931cec3c80c78d233e3602a042a2e71b","1653d75d579872fadec1f22cf7fee3c0","9551b4af789b2db563f9452eaf46b6aa","60bfe4f378e9f5a84183ac505a032228","7f94ed2d5f566c12de5ebe4b5e3d8aa3","389447013870120775556bb4519dba97","50f341b24cb75f37d042d1e5f9e3e5aa","a26f2b97ca4e2b4b5d58933900f02131","76ace3a6892c25512b17ed42ac2ebd05","19a7e16332a6860b65e6944f1f3c5001","10cd1ef394bc2a2d8d8f2558b73ac7b8","a070b77c5028d7a5d2895f1c9d35016f","38c8d80dd32d00e9c9440a498f7dd739","7168ce5c6e5545a5b389db09c90038da","261a409946b6b4d9ce706242a76134e3","31b88dd319af8e4b8a96fc9732ebc708","1ee10fa01587cec51f455ceec779a160","3bbe4dfe3134c8a7928d10c948e20bee","7581854ff6c890684823f3aed03c210f","6348b49f3499d760797247b94385fda3","17baae144d383e4dc32f1bf69700e587","8f8942cd14f646f59729f83cbd4c357b","7e50c3f301dd045eb189ba1644ded155","0ca37675d75af0e7def0025cd564d6c5","d63805e89053716b6ab93ce6decf8450","e9fdd703e60b31eb803b1b59985cabec","f1d2af27b13cd3424556b18dfd3cf83f","b567bfdaac131a2d8a23ad8fd450a31d","00dd47af3db45548d2722fe8a4489508","6aa93664b4852cb5bad84ba1a187f645","d8529855fab4b4aa6c2b34449cb3b9fb","a0eb7e480752d494709c63aa35ccf36c","73d26eb56e5a3426884733c104c3f625","358c2969041c8be74ce478edb2ffcd19","2c42253ebf9a743814b9b16a89522bef","f1bad0efbd3bd5a4202fe740756f977a","a6ce961f487b4cbdfe68d0a249647c48","8006efb8dd703073197e5a27682b35bf","c6f0c8d41b9ad4f079161548d2435d80","f8bb2528bf35f8c11fbc4369e68c4038","b2e9a6412fd7c068a5d7c38d0afd946f","de93e85199240de761a8ba0a56f0088d")

    Detection Query 4 :

    sha256hash IN ("d5f41ea8dbf1ed159a0a4cfce563a917c1df32bb8ac8d321b4d3dcf67271dd25","ebaaf177e746f9f0e16c906f1ffea95af771252b07136ca6a13995508fce34aa","3315e5a4590e430550a4d85d0caf5f521d421a2966b23416fcfc275a5fd2629a","41660a23e5db77597994e17f9f773d02976f767276faf3b5bac0510807a9a36f","7ffc83877389ebb86d201749d73b5e3706490070015522805696c9b94fa95ccb","ad01beb19f5b8c7155ee5415781761d4c7d85a31bb90b618c3f5d9f737f2d320","74cbec210ba601caeb063d44e510fc012075b65a0482d3fa2d2d08837649356a","bcef50a375c8b4edbe7c80e220c1bb52f572ce379768fec3527d31c1d51138fc","65b98ddc821212d13e0e64265353725f0adf6bcf3f4129c18d9d6327b8a69e11","0d1e3a9e6f3211b7e3072d736e9a2e6be363fc7c100b90bf7e1e9bee121e30df","14e9bb6df4906691fc7754cf7906c3470a54475c663bd2514446afad41fa1527","3dd226d0b700f33974f409142defb62a8cd172ae5f2eb9beb7f5750eb1702e2a","4451ee8bc53ea7c148d8348bc7b82aca9977bdd31c0156dfe25c4a879a1d2190","5b77f83ecefa0e32ba922f61c9efff7f755ba51a010db844ca7e8ad3db28650a","5f4063e3a5583e62ddec2f84ca88eb97fbcfbee31d9269742ab438f441f0cd58","71b743c529f0b27735f7774a0903cb908edc93423b60fe9be49a3729982d0e8d","a6c1a7ce43b029a1ef4ae69b26f745440ecce8368c89f11ac999d4ed04a31572","b494a0ae421afe170f6cb9de2c1193a78fbe16f627f85139676afc5d9bfe93a2","bd2aa5805b76f272b43a595b3d73e29d0fc4647e15e87950b8f904ea26dcf053","c4db903322d17c8cbf1d1db55124854c0b070d6ece54162b6a4d06df24c572df")

    Reference:

    https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842/


    Tags

    MalwareThreat ActorBlueNoroffAPT38Sapphire SleetTA444GhostCallGhostHireNorth KoreaSnatchCryptocryptocurrencyBlockchaincredential stealersFinancial Services

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.