Written by: Ross Inman, Adrian Hernandez
Introduction
North Korean threat actors continue to evolve their tradecraft to target the cryptocurrency and decentralized finance (DeFi) verticals. Mandiant recently investigated an intrusion targeting a FinTech entity within this sector, attributed to UNC1069, a financially motivated threat actor active since at least 2019. This investigation revealed a tailored intrusion resulting in the deployment of seven unique malware families, including a new set of tooling designed to capture host and victim data: SILENCELIFT, DEEPBREATH and CHROMEPUSH. The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim.
These tactics build upon a shift first documented in the November 2025 publication GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools where Google Threat Intelligence Group (GTIG) identified UNC1069’s transition from using AI for simple productivity gains to deploying novel AI-enabled lures in active operations. The volume of tooling deployed on a single host indicates a highly determined effort to harvest credentials, browser data, and session tokens to facilitate financial theft. While UNC1069 typically targets cryptocurrency startups, software developers, and venture capital firms, the deployment of multiple new malware families alongside the known downloader SUGARLOADER marks a significant expansion in their capabilities.
Initial Vector and Social Engineering
The victim was contacted via Telegram by an account of an executive of a cryptocurrency company that had been compromised by UNC1069. Mandiant identified claims from the true owner of the account, posted from another social media profile, where they had posted a warning to their contacts that their Telegram account had been hijacked; however, Mandiant was not able to verify or establish contact with this executive. UNC1069 engaged the victim and, after continuing a rapport, sent a Calendly link to schedule a 30-minute meeting. The meeting link itself directed to a spoofed Zoom meeting that was hosted on the threat actor’s infrastructure, zoom[.]uswe05[.]us.
The victim reported that during the call, they were presented with a video of a CEO from another cryptocurrency company that appeared to be a deepfake. While Mandiant was unable to recover forensic evidence to independently verify the use of AI models in this specific instance, the ruse aligns perfectly with activity previously tracked by GTIG. As detailed in our November 2025 research, UNC1069 has successfully leveraged deepfake images and video lures impersonating industry figures to distribute its BIGMACHO backdoor. In those previous campaigns, the actor prompted targets to install a malicious “Zoom SDK,” a precursor to the technical troubleshooting lure observed in this intrusion. These techniques include the capture of images or video, indicating open-source intelligence (OSINT) collection to conduct social engineering attacks. This hypothesis is reinforced by the original profile of the individual impersonated during the attack reporting an account takeover by an unknown adversary.
Once in the “meeting,” the fake video call facilitated a ruse that gave the impression to the end user that they were experiencing audio issues. This was employed by the threat actor to conduct a ClickFix attack: an attack technique where the threat actor directs the user to run troubleshooting commands on their system to address a purported technical issue.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: