THE North Korea-linked threat actor UNC1069 has been observed targeting the cryptocurrency sector to steal data from Windows and macOS systems, with the ultimate aim of facilitating financial theft, according to Google Mandiant. The intrusion relied on a social engineering scheme that used a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim, according to Google Mandiant researchers Ross Inman and Adrian Hernandez.
UNC1069 has been active since at least April 2018 and has a history of social engineering campaigns involving fake meeting invites and impersonations on Telegram, Google noted. The group has deployed as many as seven malware families in the latest intrusion, including SILENCELIFT, DEEPBREATH, and CHROMEPUSH, with a downloader named SUGARLOADER and other components like HYPERCALL, HIDDENCALL, and DEEPBREATH acting in stages to steal credentials and data.
It also used deepfake images and video lures masquerading as Zoom meetings, and employed a Zoom SDK disguise in some campaigns, as part of its effort to distribute the backdoor BIGMACHO. Google Threat Intelligence Group highlighted how UNC1069 has shifted toward Web3 targets such as exchanges and venture-capital-related individuals, expanding its arsenal with multiple new malware families.