North Korea-Linked UNC1069 Uses AI Lures to Attack Cryptocurrency Organizations
Source: The Hacker News
Background
- UNC1069 has been active since at least April 2018 (see the assessment).
- The group is also tracked under the monikers CryptoCore and MASAN.
- It frequently runs social‑engineering campaigns for financial gain, using fake meeting invites and posing as investors on Telegram.
In a November‑2023 report, Google Threat Intelligence Group (GTIG) highlighted the actor’s use of generative AI tools (e.g., Gemini) to create lure material and other cryptocurrency‑related messaging for its campaigns (source).
Recent Activity
- The group has begun misusing Gemini to develop code that steals cryptocurrency and to generate deep‑fake images/video that mimic industry figures.
- These lures are used to distribute a backdoor called BIGMACHO, masquerading as a Zoom Software Development Kit (SDK).
- Since 2023, UNC1069 has shifted focus from traditional finance (TradFi) to the Web 3 ecosystem, targeting centralized exchanges (CEX), software developers at financial institutions, high‑tech firms, and venture‑capital individuals.
In the latest intrusion documented by Google’s threat‑intelligence division, UNC1069 deployed up to seven distinct malware families, including three newly identified ones:
| New Malware Family | Description |
|---|---|
| SILENCELIFT | (details pending) |
| DEEPBREATH | (details pending) |
| CHROMEPUSH | (details pending) |
Attack Flow
-
Initial Contact – The victim is approached on Telegram by an actor impersonating a venture capitalist (or, occasionally, a compromised account of a legitimate entrepreneur).
-
Scheduling – The attacker sends a Calendly link to arrange a 30‑minute meeting.
-
Phishing Landing Page – The Calendly link redirects the victim to a fake Zoom site (
zoom.uswe05[.]us). The URL is often hidden behind Telegram’s hyperlink feature. -
Fake Video Call Interface – The page mimics a Zoom call, prompting the victim to enable their camera and enter a name.
- The displayed video may be a deep‑fake or a real recording captured from a previous victim.
- Kaspersky tracks the same campaign as GhostCall (documented Oct 2025).
“Their webcam footage had been unknowingly recorded, then uploaded to attacker‑controlled infrastructure, and reused to deceive other victims, making them believe they were participating in a genuine live call,” – Kaspersky.
-
Error Prompt & ClickFix – After the “call,” a bogus error about an audio issue appears, prompting the victim to run a ClickFix‑style troubleshooting command.
- Windows – Executes a PowerShell/command‑line payload that drops the malicious backdoor.
- macOS – Runs an AppleScript that drops a malicious Mach‑O binary.
Observed Malware & Tools
| Malware Family | Platform(s) | Primary Function |
|---|---|---|
| BIGMACHO | Windows/macOS | Backdoor; delivered via fake Zoom SDK |
| SILENCELIFT | (undisclosed) | (pending) |
| DEEPBREATH | (undisclosed) | (pending) |
| CHROMEPUSH | (undisclosed) | (pending) |
| ClickFix | Windows/macOS | Social‑engineering “troubleshooting” tool |
| GhostCall | (tracking name) | Same campaign, different vendor label |
Mitigation Recommendations
| Recommendation | Details |
|---|---|
| User Awareness | Train staff to verify meeting links via official channels; discourage clicking links from unsolicited Telegram messages. |
| URL Inspection | Hover over links to reveal actual destinations; use URL‑reputation services before visiting. |
| Multi‑Factor Authentication (MFA) | Enforce MFA on all privileged accounts, especially those with access to cryptocurrency wallets or exchange APIs. |
| Endpoint Protection | Deploy EDR solutions capable of detecting the listed malware families and suspicious PowerShell/AppleScript activity. |
| Network Segmentation | Isolate systems that handle crypto‑related operations from general corporate networks. |
| Patch Management | Keep Zoom, macOS, Windows, and all third‑party software up‑to‑date to reduce exploit surface. |
| Threat Intelligence Feeds | Subscribe to feeds that flag UNC1069, CryptoCore, MASAN, and GhostCall indicators of compromise (IOCs). |
Overview
WAVESHAPER is a malicious C++ executable that gathers system information and distributes a Go‑based downloader codenamed HYPERCALL. HYPERCALL is then used to serve additional payloads:
- HIDDENCALL – a Golang backdoor component that provides hands‑on keyboard access to the compromised system and deploys a Swift‑based data miner called DEEPBREATH.
- SUGARLOADER – a second C++ downloader used to deploy CHROMEPUSH.
- SILENCELIFT – a minimalist C/C++ backdoor that sends system information to a command‑and‑control (C2) server.
DEEPBREATH
DEEPBREATH manipulates macOS’s Transparency, Consent, and Control (TCC) database to gain file‑system access, allowing it to steal:
- iCloud Keychain credentials
- Data from Google Chrome, Brave, and Microsoft Edge
- Telegram messages
- Apple Notes
CHROMEPUSH
CHROMEPUSH is also a data stealer, written in C++ and deployed as a browser extension for Google Chrome and Brave. It masquerades as a tool for editing Google Docs offline and can:
- Record keystrokes
- Observe username and password inputs
- Extract browser cookies
“The volume of tooling deployed on a single host indicates a highly determined effort to harvest credentials, browser data, and session tokens to facilitate financial theft,” Mandiant said. “While UNC1069 typically targets cryptocurrency startups, software developers, and venture capital firms, the deployment of multiple new malware families alongside the known downloader SUGARLOADER marks a significant expansion in their capabilities.”
Stay informed: Follow us for more exclusive content