Cybersecurity

Cyber: North Korea-linked Unc1069 Uses AI Lures To Attack Cryptocurrency...

2026-02-11 0 views admin
Cyber: North Korea-linked Unc1069 Uses AI Lures To Attack Cryptocurrency...

The North Korea-linked threat actor known as UNC1069 has been observed targeting the cryptocurrency sector to steal sensitive data from Windows and macOS systems with the ultimate goal of facilitating financial theft.

"The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim," Google Mandiant researchers Ross Inman and Adrian Hernandez said.

UNC1069, assessed to be active since at least April 2018, has a history of conducting social engineering campaigns for financial gain using fake meeting invites and posing as investors from reputable companies on Telegram. It's also tracked by the broader cybersecurity community under the monikers CryptoCore and MASAN.

In a report published last November, Google Threat Intelligence Group (GTIG) pointed out the threat actor's use of generative artificial intelligence (AI) tools like Gemini to produce lure material and other messaging related to cryptocurrency as part of efforts to support its social engineering campaigns.

The group has also been observed attempting to misuse Gemmini to develop code to steal cryptocurrency, as well as leverage deepfake images and video lures mimicking individuals in the cryptocurrency industry in its campaigns to distribute a backdoor called BIGMACHO to victims by passing it off as a Zoom software development kit (SDK).

"Since at least 2023, the group has shifted from spear-phishing techniques and traditional finance (TradFi) targeting towards the Web3 industry, such as centralized exchanges (CEX), software developers at financial institutions, high-technology companies, and individuals at venture capital funds," Google said.

In the latest intrusion documented by the tech giant's threat intelligence division, UNC1069 is said to have deployed as many as seven unique malware families, including several new malware families, such as SILENCELIFT, DEEPBREATH, and CHROMEPUSH.

It all starts when a victim is approached by the threat actor via Telegram by impersonating venture capitalists and, in a few cases, even using compromised accounts of legitimate entrepreneurs and startup founders. Once contact is established, the threat actor uses Calendly to schedule a 30-minute meeting with them.

The meeting link is designed to redirect the victim to a fake website masquerading as Zoom ("zoom.uswe05[.]us"). In certain cases, the meeting links are

Source: The Hacker News

🏷️ Tags

cybersecuritysecuritymalwareattackthreat

More from Cybersecurity

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

2026-02-24 0
Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

2026-02-24 0
Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

2026-02-24 0
Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

2026-02-24 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views