North Korean hackers use new macOS malware in crypto-theft attacks

Source: Bleeping Computer

North Korean hackers are running tailored campaigns using AI‑generated video and the ClickFix technique to deliver malware for macOS and Windows to targets in the cryptocurrency sector. The threat actor’s goal is financial, as suggested by the role of the tools used in an attack on a fintech company investigated by Google’s Mandiant researchers.

During the response engagement, the researchers found seven distinct macOS malware families and attributed the attack to UNC1069, a threat group they’ve been tracking since 2018.

Infection chain

The attack had a strong social‑engineering component. The victim was contacted over Telegram from a compromised executive account at a cryptocurrency company. After building rapport, the hackers shared a Calendly link that directed the victim to a spoofed Zoom meeting page hosted on the attackers’ infrastructure.

According to the target, the hackers showed a deep‑fake video of a CEO at another cryptocurrency company. “Once in the ‘meeting,’ the fake video call facilitated a ruse that gave the impression to the end user that they were experiencing audio issues,” Mandiant researchers say¹.

Under this pretext, the attacker instructed the victim to troubleshoot the problems using commands present on a webpage. Mandiant found commands on the page for both Windows and macOS that would start the infection chain.

Huntress researchers documented a similar attack method in mid‑2025 and attributed it to the BlueNoroff group (also known as Sapphire Sleet and TA44), which targeted macOS systems using a different set of payloads.

macOS malware

Mandiant researchers observed AppleScript execution once the infection chain started, followed by deployment of a malicious Mach‑O binary. In the next stage, the attacker executed seven distinct malware families:

• WAVESHAPER – C++ backdoor that runs as a background daemon, collects host system information, communicates with C2 over HTTP/HTTPS using curl, and downloads and executes follow‑on payloads.
• HYPERCALL – Golang‑based downloader that reads an RC4‑encrypted configuration file, connects to C2 over WebSockets on TCP 443, downloads malicious dynamic libraries, and reflectively loads them into memory.
• HIDDENCALL – Golang‑based backdoor injected reflectively by HYPERCALL; provides keyboard access, supports command execution and file operations, and deploys additional malware.
• SILENCELIFT – Minimal C/C++ backdoor that beacons host information and lock‑screen status to a hard‑coded C2 server and can interrupt Telegram communications when executed with root privileges.
• DEEPBREATH – Swift‑based data miner deployed via HIDDENCALL; bypasses macOS TCC protections by modifying the TCC database to gain broad filesystem access and steals keychain credentials, browser data, Telegram data, and Apple Notes data.
• SUGARLOADER – C++ downloader that uses an RC4‑encrypted configuration to retrieve next‑stage payloads and establishes persistence via a manually created launch daemon.
• CHROMEPUSH – C++ browser data miner deployed by SUGARLOADER; installs as a Chromium native‑messaging host masquerading as a Google Docs Offline extension and collects keystrokes, credentials, cookies, and optionally screenshots.

Overview of the attack chain
Source: Mandiant

Of the malware found, SUGARLOADER has the most detections on VirusTotal, followed by WAVESHAPER, which is flagged by only two products. The remaining families are not present in the platform’s malware database.

Mandiant notes that SILENCELIFT, DEEPBREATH, and CHROMEPUSH represent a new set of tooling for the threat actor. The researchers describe the volume of malware deployed on a single host as unusual, confirming a targeted attack focused on collecting as much data as possible for two reasons: cryptocurrency theft and fueling future social‑engineering campaigns by leveraging the victim’s identity and data.

Since 2018, UNC1069 has demonstrated its ability to evolve by adopting new techniques and tools. In 2023, the group shifted to targets in the Web3 industry (centralized exchanges, developers, venture‑capital funds). Last year, the threat actor pivoted to financial services and the cryptocurrency industry in verticals such as payments, brokerage, and wallet infrastructure.

Footnotes

1. Mandiant researchers, “UNC1069 targets cryptocurrency with AI‑driven social engineering,” Google Cloud Blog. https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering. ↩