The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

UNC1069 Uses New Tools to Target Crypto Entities

Feb 20, 2026 1:53:03 PM / by The Hivemind posted in Threat Bulletin, social engineering, Cryptocurrency Theft, MacOS malware, North Korean threat actors, DeFi targeting, deepfake, UNC1069

0 Comments

Verticals Targeted: Cryptocurrency, Financial
Regions Targeted: Not specified
Related Families: SUGARLOADER, WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT, DEEPBREATH, CHROMEPUSH

Executive Summary

A targeted intrusion into a FinTech entity in the cryptocurrency sector was attributed to UNC1069, a North Korea-nexus financially motivated threat actor. The operation deployed seven unique malware families on a macOS host through sophisticated social engineering involving a compromised Telegram account, a spoofed Zoom meeting, a reported deepfake video, and a ClickFix technique to initiate infection.

Read More

New MacOS.ZuRu Variant Discovered

Jul 22, 2025 3:05:50 PM / by The Hivemind posted in Threat Bulletin, Evolving Threat, Malware Analysis, Cybersecurity Threat, MacOS malware, ZuRu malware, Termius trojan, macOS security, backdoor threat, SSH client attack, Khepri C2, developer security

0 Comments

Verticals Targeted: IT, software development  
Regions Targeted: None specified
Related Families: None

Executive Summary

A new variant of the macOS.ZuRu malware, first identified in 2021, was discovered, leveraging a trojanized Termius application to deploy a modified Khepri C2 beacon, targeting developers and IT professionals. This sophisticated backdoor employs advanced techniques to evade detection and establish persistent remote access.

Read More

NimDoor MacOS Malware

Jul 14, 2025 2:34:09 PM / by The Hivemind posted in Threat Bulletin, North Korea, Stealer, Infostealer, Cryptocurrency, social engineering, Stardust Chollima, NimDoor, AppleScript, MacOS malware, Web3, Nim, Zoom phishing

0 Comments

Verticals Targeted: Cryptocurrency
Regions Targeted: Not Specified
Related Families: None

Executive Summary

NimDoor is a sophisticated MacOS malware deployed by North Korea-linked threat actors, likely Stardust Chollima, targeting Web3 and cryptocurrency organizations. Utilizing Nim and C++ binaries, AppleScript, and social engineering via fake Zoom updates, NimDoor employs process injection, WebSocket communications, and signal-based persistence to steal sensitive data.

Read More
All posts

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More