- Mandiant reports UNC1069 using compromised Telegram, fake Zoom calls and deepfake videos
- Victims tricked into installing malware package including WAVESHAPER, HYPERCALL and SUGARLOADER
- North Korean actors target crypto firms and continue state-linked theft campaigns such as Lazarus and TraderTraitor
North Korean cybercriminals appear to be up to their game, with new Mandiant reports claiming the hackers are now using a combination of compromised Telegram accounts, fake Zoom calls, deepfake videos and half a dozen malware strains.
This evil mix was apparently used against organizations in the cryptocurrency sector with the aim of stealing their crypto stacks.
In its report, Mandiant said it observed a group tracked as UNC1069 using this advanced technique. The attack starts with a compromised Telegram account of a CEO or similar C-suite executive. The account is then used to initiate a conversation with the victim and, after some back and forth, invite them to a Zoom call.
Failed attack
But the call is not legitimate. It is a fake Zoom meeting held on the threat actor’s infrastructure – zoom[.]uswe05[.]us. On the call, the victims are shown a deeply fake video of the impersonating CEO who claims that the victim’s audio is not working and that they should fix it.
Finally, in traditional ClickFix fashion, victims are presented with a solution that, instead of “fixing” the non-existent bug, deploys a whole host of malware: WAVESHAPER, HYPERCALL, HIDENCALL, SUGARLOADER, SILENCELIFT, DEEPBREATH and CHROMEPUSH.
Together, these tools form a multi-step infection chain that enables persistence, credential harvesting, browser data theft, and long-term access.
UNC1069 is not a widely recognized threat actor. However, since UNC stands for Uncategorized (or Unclassified), it may simply mean that a previously observed threat actor changed its infrastructure or technique and has not yet been properly attributed.
North Korean actors are notorious for targeting crypto companies. Some of the biggest heists were attributed to state-sponsored groups like Lazarus, and these collectives are often tasked with stealing crypto through which the country funds its weapons program and state apparatus.
The largest cryptocurrency theft ever recorded was the February 21, 2025 hack of the Dubai-based exchange Bybit, where around 1.5 billion in ether-related assets were stolen from a cold wallet. Analysts and law enforcement agencies have linked the attack to North Korean state-linked cybercriminal groups, including the Lazarus Group and TraderTraitor.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
