- Mandiant reports UNC1069 using compromised Telegram, fake Zoom calls, and deepfake videos
- Victims tricked into installing malware suite including WAVESHAPER, HYPERCALL, and SUGARLOADER
- North Korean actors target crypto firms, continuing state-linked theft campaigns like Lazarus and TraderTraitor
North Korean cybercriminals appear to be upping their game, with new Mandiant reports claiming the hackers are now using a combination of compromised Telegram accounts, fake Zoom calls, deepfake videos, and half a dozen malware strains.
This evil concoction was apparently used against organizations in the cryptocurrency sector, with the goal of stealing their crypto stacks.
In its report, Mandiant said it observed a group tracked as UNC1069 using this advanced technique. The attack starts with a compromised Telegram account of a CEO, or a similar C-suite executive. The account is then used to initiate a conversation with the victim and, after a little back-and-forth, invite them to a Zoom call.
Unsuccessful attack
But the call is not legitimate. It is a spoofed Zoom meeting, hosted on the threat actor’s infrastructure - zoom[.]uswe05[.]us. On the call, the victims are shown a deepfake video of the CEO being impersonated, that claims the victim’s audio is not working and that they should fix it.
Finally, in traditional ClickFix manner, the victims are presented with a solution which, instead of “fixing” the non-existent error, deploys a whole swathe of malware: WAVESHAPER, HYPERCALL, HIDENCALL, SUGARLOADER, SILENCELIFT, DEEPBREATH, and CHROMEPUSH.
Together, these tools form a multi-stage infection chain that enables persistence, credential harvesting, browser data theft, and long-term access.
UNC1069 is not a widely recognized threat actor. However, since UNC stands for Uncategorized (or Unclassified), it could just mean that a previously-observed threat actor changed its infrastructure or technique and has not yet been properly attributed.
North Korean actors are infamous for targeting crypto businesses. Some of the biggest heists were attributed to state-sponsored groups such as Lazarus, and these collectives are often tasked with stealing crypto through which the country funds its weapons program and state apparatus.
The biggest cryptocurrency heist ever recorded was the February 21, 2025 hack of the Dubai-based exchange Bybit, in which around 1.5 billion in ether-related assets were stolen from a cold wallet. Analysts and law enforcement have linked the attack to North Korean state-linked cybercriminal groups, including the Lazarus Group and TraderTraitor.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
