5 February 2026. A Daylight Security investigation links a social engineering campaign to BlueNoroff, a financially motivated subgroup of the Lazarus Group, which targeted professionals in the cryptocurrency and financial sectors. The attackers begin by contacting victims on platforms such as Telegram and steer them toward a Microsoft Teams call, where they feign technical difficulties and claim they cannot hear the victim.
THEY coach the victim into running terminal commands that download and execute malicious binaries, disguising a payload as a system cache file. The malware is designed to blend into the macOS environment, with the host downloading an executable to a path that appears benign: /Library/Caches/com.apple.sys[.]receipt, and the attackers then use living-off-the-land techniques, making the file executable and signing it ad-hoc to bypass checks.
The operation aims to steal credentials by copying the user’s Keychain database, and it also targets a secondary component to ensure persistence. According to Daylight Security, this GhostCall tactic is consistent with activities publicly attributed to BlueNoroff.