A North Korea linked threat actor tracked as UNC1069 has intensified its focus on cryptocurrency organizations, using artificial intelligence generated lures, fake Zoom meetings, and multiple malware families to steal sensitive data from Windows and macOS systems with the objective of facilitating financial theft.
According to Google Mandiant researchers Ross Inman and Adrian Hernandez, the latest intrusion relied on a layered social engineering scheme that began with a compromised Telegram account and culminated in malware deployment through a ClickFix infection vector. The campaign also reportedly leveraged AI generated video to enhance deception. UNC1069, active since at least April 2018, has a documented history of conducting financially motivated social engineering operations. The group has posed as investors from reputable firms on Telegram and used fraudulent meeting invitations to engage targets. It is also known in the cybersecurity community as CryptoCore and MASAN. In a November report, Google Threat Intelligence Group noted the actor’s use of generative AI tools such as Gemini to craft cryptocurrency themed lure content and related messaging. The group has also attempted to misuse Gemini to develop code intended to steal cryptocurrency and has incorporated deepfake images and video impersonations of individuals in the crypto sector. In earlier campaigns, the attackers distributed a backdoor called BIGMACHO by presenting it as a Zoom software development kit.
Since at least 2023, the group has shifted its targeting from traditional finance to the Web3 ecosystem, including centralized exchanges, software developers at financial institutions and technology firms, as well as individuals working at venture capital funds. In the most recent activity, UNC1069 deployed up to seven distinct malware families, including newly identified strains such as SILENCELIFT, DEEPBREATH, and CHROMEPUSH. The attack chain typically begins when victims are contacted on Telegram by individuals impersonating venture capitalists, sometimes through compromised accounts belonging to legitimate entrepreneurs or startup founders. After initial engagement, the threat actor uses Calendly to schedule a 30 minute meeting. The meeting link redirects victims to a fraudulent website designed to mimic Zoom, often using Telegram hyperlink features to conceal the malicious URL. Once clicked, targets encounter a convincing video call interface that prompts them to enable their camera and enter their name. The displayed video is believed to be either deepfake content or recordings of prior victims, a tactic previously documented by Kaspersky under the name GhostCall.
Following the staged meeting, victims are shown a fabricated audio error message and instructed to run a ClickFix style troubleshooting command. On macOS systems, this results in the execution of an AppleScript that drops a malicious Mach O binary named WAVESHAPER. This C++ executable collects system information and deploys a Go based downloader known as HYPERCALL, which subsequently delivers additional payloads. These include HIDDENCALL, a Golang backdoor enabling direct remote access and deployment of a Swift based data miner called DEEPBREATH, as well as SUGARLOADER, which installs CHROMEPUSH. SILENCELIFT, another component, transmits system data to a command and control server. DEEPBREATH is capable of manipulating macOS Transparency, Consent, and Control databases to access files and extract iCloud Keychain credentials, along with data from Chrome, Brave, Microsoft Edge, Telegram, and Apple Notes. CHROMEPUSH operates as a malicious browser extension disguised as an offline Google Docs editing tool and can record keystrokes, capture login credentials, and extract browser cookies. Mandiant stated that the breadth of tooling deployed on a single host reflects a determined effort to harvest credentials, browser data, and session tokens to support financial theft, marking a notable expansion in UNC1069’s operational capabilities.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
