A North Korea-related threat actor known as UNC1069 has been observed targeting the cryptocurrency sector to steal sensitive data from Windows and macOS systems, with the ultimate goal of facilitating financial theft.
Google Mandiant researchers Ross Inman and Adrian Hernandez said, “This intrusion relied on social engineering schemes including compromised Telegram accounts, fake Zoom meetings, ClickFix infection vectors, and reportedly used AI-generated video to deceive victims.”
UNC1069 is believed to have been active since at least April 2018 and has a history of conducting social engineering campaigns for financial gain by using fake meeting invites and posing as investors in reputable companies on Telegram. It is also tracked by the broader cybersecurity community under the names CryptoCore and MASAN.
In a report published last November, the Google Threat Intelligence Group (GTIG) noted that threat actors are using generative artificial intelligence (AI) tools such as Gemini to create decoy materials and other messages related to cryptocurrencies as part of efforts to support social engineering campaigns.
The group has also been observed attempting to exploit Gemmini to develop code to steal cryptocurrencies and utilize deepfake images and videos imitating individuals in the cryptocurrency industry in a campaign to distribute a backdoor called BIGMACHO disguised as a Zoom software development kit (SDK) to victims.
“Since at least 2023, this group has targeted Web3 industries, from spear-phishing techniques and traditional finance (TradFi) to centralized exchanges (CEX), software developers at financial institutions, high-tech companies, and individuals in venture capital funds,” Google said.
In the latest intrusion documented by the tech giant’s threat intelligence division, UNC1069 is said to have introduced up to seven unique malware families, including several new malware families such as SILENCELIFT, DEEPBREATH, and CHROMEPUSH.
It all starts when a victim is approached by a threat actor via Telegram, impersonating a venture capitalist and sometimes using a compromised account of a legitimate entrepreneur or startup founder. Once contact is established, the attacker uses Calendly to schedule a 30-minute meeting.
The meeting link is designed to redirect victims to a fake website (“zoom.uswe05”) disguised as Zoom.[.]In some cases, meeting links are shared directly via messages on Telegram, often using Telegram’s hyperlink feature to hide phishing URLs.
Regardless of the method used, as soon as the victim clicks on the link, a fake Zoom-like video call interface appears prompting them to enable their camera and enter their name. Once the target joins the meeting, they will see a screen similar to a real Zoom meeting.
However, the video is suspected to be a deepfake or a real recording secretly taken from other victims who have fallen prey to the same scheme previously. It’s worth noting that Kaspersky is tracking the same campaign under the name GhostCall. This will be documented in detail in October 2025.
“Webcam footage was unknowingly recorded, uploaded to attacker-controlled infrastructure, and reused to deceive other victims into thinking they were participating in a genuine live call,” the Russian security vendor noted at the time. “Once the video finished playing, the page smoothly transitioned to displaying that user’s profile image, maintaining the illusion of a live call.”
The attack progresses to the next phase, where the victim is shown a fake error message purporting to be an audio issue, and is then asked to download and run ClickFix-style troubleshooting commands to address the issue. On macOS, the command delivers an AppleScript and drops a malicious Mach-O binary onto the system.
A malicious C++ executable called WAVESHAPER is designed to collect system information and distribute a Go-based downloader codenamed HYPERCALL, which is then used to deliver additional payloads.
A subsequent Golang backdoor component known as HIDDENCALL. It provides hands-on keyboard access to compromised systems and deploys a Swift-based data miner called DEEPBREATH. A second C++ downloader called SUGARLOADER is used to deploy CHROMEPUSH. A minimal C/C++ backdoor called SILENCELIFT. Sends system information to a command and control (C2) server.
DEEPBREATH has the ability to manipulate the macOS Transparency, Consent, and Control (TCC) database to gain file system access, allowing it to steal iCloud Keychain credentials and data from Google Chrome, Brave, Microsoft Edge, Telegram, and Apple Notes applications.
Like DEEPBREATH, CHROMEPUSH also functions as a data stealer, except that it is written in C++ and deployed as a browser extension for Google Chrome and Brave browsers under the guise of a tool for offline editing of Google Docs. It also has the ability to record keystrokes, monitor username and password entries, and extract browser cookies.
“The amount of tools deployed on a single host indicates a very determined effort to harvest credentials, browser data, and session tokens to facilitate financial theft,” Mandiant said. “While UNC1069 typically targets cryptocurrency startups, software developers, and venture capital firms, the deployment of multiple new malware families alongside the known downloader SUGARLOADER signals a significant expansion of its capabilities.”
Source link
