North Korean UNC1069 Hackers Unleash AI Deepfakes and New Mac Malware on Crypto Targets

Imagine getting a message on Telegram from a trusted crypto executive. They suggest a quick Zoom call to discuss a hot deal. But it’s all a trap. This is how are hitting the crypto world hard. They mix clever social tricks with fresh malware to steal your data and crypto.

In a recent attack on a FinTech firm in crypto, these hackers dropped seven malware types on one Mac. They used fake videos, tricked users into running bad commands, and grabbed browser data, passwords, and session tokens. This lets them drain wallets and hijack accounts. If you’re in crypto, DeFi, or Web3, this threat is real.

Who Are UNC1069 and Why Crypto?

UNC1069 is a money-hungry group linked to North Korea. Active since 2018, they shifted to crypto targets around 2023. Before, they hit banks with phishing. Now, they go after crypto startups, devs, exchanges, and VC firms.

Why crypto? Easy money. They steal coins from wallets, exchanges, and staking platforms. In 2025, they’ve eyed payments, brokerage, and wallet tech. This group uses pro tools but sometimes sloppy code, showing a mix of skill levels.

• Main targets: Centralized exchanges (CEX), software devs, high-tech firms, VC employees.
• Goal: Grab credentials for direct theft or more scams.

The Sneaky Attack Starts with Social Engineering

The hack kicked off on Telegram. Hackers took over an exec’s account from another crypto firm. They chatted up the victim, built trust, then sent a Calendly link for a 30-min meeting.

Clicking led to a fake Zoom at zoom[.]uswe05[.]us – their server. On the call, a video of another CEO’s deepfake played. Victim thought it was real. No audio issues? Hackers faked them to push a “ClickFix” trick.

ClickFix: User runs “fix” commands in terminal. Hidden in the list? Malware download. They had commands for Mac and Windows.

Pro tip: Never run unknown terminal commands, even from “trusted” contacts. Verify first.

AI twist: Hackers use tools like Gemini for research and fake images/videos. Reports match past deepfake scams in crypto.

The Malware Chain: Seven Tools on One Mac

Victim ran Mac commands. AppleScript dropped first, then WAVESHAPER backdoor. It fetched more: HYPERCALL downloader, HIDDENCALL for remote control, SUGARLOADER (old fave), and newbies SILENCELIFT, DEEPBREATH, CHROMEPUSH.

Even without EDR, Apple’s XProtect logged bad behavior in XPdb. Timestamps showed the full chain.

New Malware Breakdown

DEEPBREATH: Bypasses Mac Privacy

Swift-based data thief. Tricks TCC database (Mac’s permission guard) using Finder’s Full Disk Access. Steals:

• Keychain passwords
• Chrome, Brave, Edge data
• Telegram chats (two versions)
• Apple Notes

Zips and sends via curl. Relaunches via AppleScript to hide.

CHROMEPUSH: Browser Spy

C++ miner. Poses as Google Docs extension. Hits Chrome/Brave as native messaging host. Logs keys, grabs cookies, screenshots. Sends to cmailer[.]pro.

Persistence: Fake manifest in ~/Library/Application Support/Google/Chrome/NativeMessagingHosts/.

SILENCELIFT: Quiet Beacon

C/C++ backdoor. Phones home to support-zoom[.]us with system info, lock status. Root? Blocks Telegram.

Others: WAVESHAPER, HYPERCALL, HIDDENCALL, SUGARLOADER

WAVESHAPER (C++): Downloads payloads, runs daemon, grabs processes/software.

HYPERCALL (Go): RC4 config, reflective load. Links to HIDDENCALL via Rosetta cache clues.

SUGARLOADER (C++): Loads CHROMEPUSH, launch daemon persistence.

Code overlaps show shared dev – RC4 keys, “t_” functions.

Why This Hits Crypto Hard

These tools snag session tokens, cookies for wallet logins. One infected Mac = drained funds. Hackers pivot from personal to corporate devices often.

Big drop of tools on one host? Aimed at max data for theft + future scams using stolen identities.

Key Indicators to Hunt

Watch these paths/hashes:

• Hashes: b452C2da7c012eda25a1403b3313444b5eb7C2c3e25eee489f1bd256f8434735, 1a30d6cdb0b98feed62563be8050db55ae0156ed437701d36a7b46aabf086ede
• Paths: /Library/Caches/System Settings, /Library/OSRecovery/SystemUpdater, /Library/SystemSettings/.CacheLogs.db
• C2: zoom[.]uswe05[.]us, support-zoom[.]us

Google SecOps rules catch: TCC tweaks, Chrome native hosts, keychain access.

How to Protect Your Crypto Setup

1. Verify Contacts: Call back on known numbers. Check social warnings.
2. 2FA & Hardware Wallets: Use YubiKey, Ledger for big holdings.
3. EDR/AV: Run CrowdStrike, XProtect updates. Check XPdb.
4. Browser Hygiene: Block extensions, clear cookies often.
5. Train Team: Spot ClickFix, deepfakes. No terminal commands blindly.
6. Air-Gap Wallets: For high-value, offline signing.

Crypto firms: Segment networks, monitor Telegram/Zoom logs.

The Bigger Picture: AI in Hacker Tools

UNC1069 ups AI use – from code help to deepfakes. Expect more. North Korea groups fund regimes via crypto heists. Stay ahead.

This combo shows evolution. Crypto security must match.

Conclusion

prove relentless. Their toolkit grows, blending social smarts with tech muscle. Protect now: verify, secure, monitor. Share this if it helps your team.

Got hit? Check IOCs, scan Macs. Questions? Drop in comments.