- Mandiant reports UNC1069 using compromised Telegram, fake Zoom calls and fake videos
- Victims were tricked into installing a suite of malware, including WAVESHAPER, HYPERCALL, and SUGARLOADER.
- North Korean actors are targeting crypto companies and continuing their state-linked theft campaigns like Lazarus and TraderTraitor.
North Korean cybercriminals appear to be upping their game, with new Mandiant reports claiming hackers are now using a combination of compromised Telegram accounts, fake Zoom calls, deepfake videos and half a dozen malware strains.
This evil concoction was allegedly used against organizations in the cryptocurrency industry, in an attempt to steal their cryptocurrency stacks.
In its report, Mandiant said it observed a tracked group like UNC1069 using this advanced technique. The attack begins with a compromised Telegram account of a CEO or similar executive. The account is then used to initiate a conversation with the victim and, after some back and forth, invite them to a Zoom call.
Unsuccessful attack
But this call is not legitimate. This is a spoofed Zoom meeting, hosted on the threat actor’s infrastructure – zoom[.]nouswe05[.]We. During the call, victims see a deepfake video of the CEO impersonation, who claims the victim’s audio isn’t working and they should fix it.
Finally, in traditional ClickFix fashion, victims are presented with a solution that, instead of “fixing” the non-existent error, deploys a whole host of malware: WAVESHAPER, HYPERCALL, HIDENCALL, SUGARLOADER, SILENCELIFT, DEEPBREATH and CHROMEPUSH.
Together, these tools form a multi-step infection chain that enables persistence, credential harvesting, browser data theft, and long-term access.
UNC1069 is not a widely recognized threat actor. However, since UNC stands for Unclassified (or Unclassified), this could simply mean that a previously observed threat actor has changed their infrastructure or technique and has not yet been properly attributed.
North Korean actors are infamous for targeting crypto companies. Some of the largest heists have been attributed to state-sponsored groups such as Lazarus, and these collectives are often responsible for stealing cryptocurrencies with which the country funds its weapons program and state apparatus.
The largest cryptocurrency heist on record was the February 21, 2025 hack of Dubai-based exchange Bybit, in which approximately 1.5 billion in ether-related assets were stolen from a cold wallet. Analysts and law enforcement have linked the attack to cybercriminal groups linked to the North Korean state, including the Lazarus Group and TraderTraitor.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
