Ethical Hacking News
North Korean hackers have been using AI-generated deepfakes, the ClickFix technique, and tailored campaigns to deliver targeted attacks on macOS and Windows systems used by targets in the cryptocurrency sector. The goal of these attacks is to steal sensitive information and funds from financial institutions, exchanges, and other organizations.
North Korean hackers use AI-generated deepfakes, ClickFix technique, and targeted campaigns to attack macOS and Windows systems used by cryptocurrency sector targets. The attackers leverage social engineering to build rapport with victims, making them more likely to take actions that lead to infection. The initial contact is made through a spoofed Zoom meeting page, where the hackers show a deepfake video of a CEO at another company. Seven distinct malware families are deployed, each collecting sensitive information and carrying out specific objectives. The malware families include WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT, DEEPBREATH, SUGARLOADER, and CHROMEPUSH. The attackers aim to steal sensitive information and funds from financial institutions and organizations, as well as fuel future social engineering campaigns.
North Korean hackers have been using a new malware attack vector that leverages artificial intelligence (AI)-generated deepfakes, the ClickFix technique, and tailored campaigns to deliver targeted attacks on macOS and Windows systems used by targets in the cryptocurrency sector. The goal of these attacks is to steal sensitive information and funds from financial institutions, exchanges, and other organizations.
The threat actor's approach is marked by a strong social engineering component, where the victim is contacted over the Telegram messaging service from a compromised account of an executive at a cryptocurrency company. This initial contact builds rapport with the target, making it easier to gain their trust and persuade them to troubleshoot problems using commands present on a webpage.
The attack begins with a spoofed Zoom meeting page, where the hackers show a deepfake video of a CEO at another cryptocurrency company. This ruse creates an atmosphere of uncertainty, allowing the attackers to manipulate the victim into taking specific actions that ultimately lead to the infection chain.
Once the infection chain is initiated, Mandiant researchers found evidence of AppleScript execution, followed by deploying a malicious Mach-O binary. The attackers then executed seven distinct malware families, each designed to collect sensitive information and carry out specific objectives.
The malware families identified include:
* WAVESHAPER - A C++ backdoor that runs as a background daemon, collects host system information, communicates with the command and control (C2) server over HTTP/HTTPS using curl, and downloads and executes follow-on payloads.
* HYPERCALL - A Golang-based downloader that reads an RC4-encrypted configuration file, connects to the C2 server over WebSockets on TCP 443, downloads malicious dynamic libraries, and reflectively loads them into memory.
* HIDDENCALL - A Golang-based backdoor reflectively injected by HYPERCALL that provides hands-on keyboard access, supports command execution and file operations, and deploys additional malware.
* SILENCELIFT - A minimal C/C++ backdoor that beacons host information and lock screen status to a hard-coded C2 server and can interrupt Telegram communications when executed with root privileges.
* DEEPBREATH - A Swift-based data miner deployed via HIDDENCALL that bypasses macOS TCC protections by modifying the TCC database to gain broad filesystem access and steals keychain credentials, browser data, Telegram data, and Apple Notes data.
* SUGARLOADER - A C++ downloader that uses an RC4-encrypted configuration to retrieve next-stage payloads and was made persistent via a manually created launch daemon.
* CHROMEPUSH - A C++ browser data miner deployed by SUGARLOADER that installs as a Chromium native messaging host masquerading as a Google Docs Offline extension and collects keystrokes, credentials, cookies, and optionally screenshots.
The attackers demonstrated an unusual level of sophistication in deploying multiple malware families against a single individual. According to Mandiant researchers, the goal of this attack is not only to steal sensitive information but also to fuel future social engineering campaigns by leveraging the victim's identity and data.
This is not the first time that North Korean hackers have targeted the cryptocurrency industry. In 2023, they switched their focus from Web3 to financial services and the cryptocurrency industry in verticals such as payments, brokerage, and wallet infrastructure. The attackers continued this trend last year, changing their target to the financial services sector.
The use of AI-generated deepfakes and the ClickFix technique by North Korean hackers highlights the evolving nature of cyber threats. These tactics are becoming increasingly sophisticated, making it essential for organizations to stay vigilant and implement robust security measures to protect themselves against such attacks.
In conclusion, the recent attack vector employed by North Korean hackers is a stark reminder of the importance of cybersecurity in today's digital landscape. As the threat landscape continues to evolve, it is crucial that organizations prioritize their security posture and remain proactive in protecting themselves against sophisticated attacks like this one.
Related Information:
https://www.ethicalhackingnews.com/articles/North-Korean-Hackers-Leverage-AI-Generated-Deepfakes-and-ClickFix-Technique-to-Launch-Sophisticated-Crypto-Theft-Attacks-ehn.shtml
Published: Tue Feb 10 19:31:55 2026 by llama3.2 3B Q4_K_M
