North Korean Hackers Deploy New macOS Malware in Cryptocurrency Attacks
North Korean cybercriminals are escalating their attacks on the cryptocurrency sector, deploying new macOS malware families alongside sophisticated social engineering tactics. Recent investigations by Google’s Mandiant reveal that the threat group UNC1069 is behind these campaigns, using deepfake videos, spoofed Zoom meetings, and AI‑generated content to compromise victims.
Social Engineering: The First Line of Attack
- Hackers contacted victims via Telegram, impersonating executives from crypto firms.
- Victims were lured into a fake Zoom meeting through Calendly links hosted on attacker infrastructure.
- A deepfake CEO video was used to build trust, followed by staged “audio issues.”
- Victims were tricked into running malicious troubleshooting commands, initiating the infection chain.
The macOS Malware Arsenal
Mandiant identified seven distinct malware families deployed in these attacks:
| Malware | Language | Purpose |
|---|---|---|
| WAVESHAPER | C++ | Backdoor, collects system info, downloads payloads |
| HYPERCALL | Golang | Downloader, loads malicious libraries via WebSockets |
| HIDDENCALL | Golang | Backdoor, enables hands-on keyboard access |
| SILENCELIFT | C/C++ | Beacons host info, interrupts Telegram comms |
| DEEPBREATH | Swift | Data miner, bypasses macOS TCC, steals credentials |
| SUGARLOADER | C++ | Downloader, persistence via launch daemon |
| CHROMEPUSH | C++ | Browser data miner, masquerades as Google Docs Offline |
Highlights:
- SILENCELIFT, DEEPBREATH, CHROMEPUSH are new tools never seen before.
- SUGARLOADER shows the highest detection rates on VirusTotal, while others remain largely undetected.
Objectives of the Campaign
The attackers pursued two clear goals:
- Immediate cryptocurrency theft – stealing credentials, browser data, and keychain information.
- Future social engineering leverage – harvesting personal data to impersonate victims in later campaigns.
Evolution of UNC1069
- Active since 2018, UNC1069 has consistently evolved its tactics.
- 2023: Shifted focus to Web3 companies, exchanges, and venture capital funds.
- 2024–25: Expanded to financial services and crypto infrastructure, including payments, brokerage, and wallets.
- Now, the group demonstrates multi‑stage macOS tooling and AI‑driven deception, signaling a new phase in their operations.
Conclusion
This campaign underscores the growing sophistication of North Korean cyber operations. By combining deepfake technology, AI‑generated content, and advanced macOS malware, UNC1069 is intensifying its focus on cryptocurrency theft. For crypto firms and fintech companies, vigilance against social engineering attacks and multi‑stage malware infections is more critical than ever.
Follow Us On – X.com, Telegram, LinkedIN, Discord Server,
For The Latest Updates, Vulnerability Insights, Security News, Cyberattack Scoops And Cybersecurity Best Practices Delivered Straight To Your Inbox – Subscribe To Our Newsletter
