North Korean threat actor UNC1069 has launched a sophisticated campaign targeting the cryptocurrency and decentralized finance (DeFi) sectors, deploying AI-generated deepfake videos and seven unique malware families to steal credentials and financial data, according to new research from Google Cloud’s Mandiant threat intelligence team.
AI-Enabled Social Engineering: The New Frontier
The attack begins with a compromised Telegram account of a legitimate cryptocurrency executive. After building rapport with the victim, UNC1069 operators send a Calendly link scheduling a meeting via a spoofed Zoom infrastructure hosted on attacker-controlled domains.
During the fake video call, victims reported encountering what appeared to be a deepfake video of a CEO from another cryptocurrency company. The threat actors then leveraged a “ClickFix” attack technique—presenting fake audio issues and convincing victims to run “troubleshooting” commands that actually initiated the infection chain on both macOS and Windows systems.
Seven Malware Families Deployed on Single Hosts
Mandiant’s investigation revealed an unusually aggressive intrusion, with seven distinct malware families deployed on a single compromised system:
- WAVESHAPER — A C++ backdoor for macOS that collects system information and downloads additional payloads
- HYPERCALL — A Golang-based downloader that retrieves and reflectively loads malicious libraries
- HIDDENCALL — A follow-on backdoor providing hands-on keyboard access
- SUGARLOADER — A known downloader with persistence via launch daemons
- SILENCELIFT — A toehold backdoor that beacons system information to C2 servers
- DEEPBREATH — A Swift-based data miner targeting Keychain credentials, browser data, Telegram, and Apple Notes
- CHROMEPUSH — A C++ data miner deploying malicious browser extensions masquerading as Google Docs offline tools
Cryptocurrency Sector Remains Primary Target
UNC1069 has been tracked by Mandiant since 2018 and is suspected with high confidence to have a North Korea nexus. Since 2023, the group has shifted from traditional finance targeting and spear-phishing to focus on Web3 companies, centralized exchanges (CEX), software developers at financial institutions, and venture capital firms.
The threat actor is known to use AI tools like Gemini for developing tooling, conducting operational research, and assisting during reconnaissance stages. Kaspersky has also linked overlapping threat actor Bluenoroff to GPT-4o usage for image modification, indicating broad adoption of generative AI tools by DPRK-nexus groups.
Why This Matters
This campaign represents a significant evolution in North Korean cyber operations:
- AI Integration: The use of deepfake videos during live social engineering calls demonstrates how threat actors are weaponizing AI for real-time deception
- Cross-Platform Targeting: The ClickFix technique included commands for both macOS and Windows, maximizing victim coverage
- Data Harvesting at Scale: The sheer volume of tooling deployed indicates a dual-purpose operation—enabling immediate cryptocurrency theft while harvesting credentials and identities for future campaigns
- Supply Chain Risk: Compromised executive accounts on Telegram serve as trusted vectors for targeting downstream contacts
Indicators of Compromise
Mandiant published 17 file hashes, 2 URLs, and 12 domains associated with this campaign. Organizations in the cryptocurrency sector should review the full technical appendix in the source report for detection opportunities.
Defensive Recommendations
- Verify meeting invitations through secondary channels before joining video calls from new contacts
- Never execute “troubleshooting” commands provided during video calls
- Implement endpoint detection and response (EDR) solutions on macOS systems
- Monitor for suspicious launch daemon installations (e.g.,
/Library/LaunchDaemons/com.apple.system.updater.plist) - Review browser extensions for unauthorized installations masquerading as legitimate tools
- Enable multi-factor authentication on Telegram and other communication platforms
