Verticals Targeted: Cryptocurrency, Financial
Regions Targeted: Not specified
Related Families: SUGARLOADER, WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT, DEEPBREATH, CHROMEPUSH
Executive Summary
A targeted intrusion into a FinTech entity in the cryptocurrency sector was attributed to UNC1069, a North Korea-nexus financially motivated threat actor. The operation deployed seven unique malware families on a macOS host through sophisticated social engineering involving a compromised Telegram account, a spoofed Zoom meeting, a reported deepfake video, and a ClickFix technique to initiate infection.
Key Takeaways
- UNC1069 leveraged a multi-stage infection chain starting with social engineering via hijacked Telegram and fake Zoom, using ClickFix commands to execute initial payloads on macOS.
- New tooling including SILENCELIFT, DEEPBREATH, and CHROMEPUSH was deployed alongside a known downloader, SUGARLOADER.
- The attack focused on harvesting credentials, browser data, session tokens, Keychain items, Telegram data, and Apple Notes to enable cryptocurrency theft and support future social engineering.
- Persistence was achieved via a manually configured launch daemon for SUGARLOADER, while XProtect behavioral detections in the XPdb database aided forensic reconstruction despite lacking EDR.
The Activity
North Korean threat actors linked to UNC1069 continue to refine their approaches against cryptocurrency and DeFi organizations, as evidenced by a recent intrusion into a FinTech target. Mandiant reported on this activity. Active since at least 2018 and suspected with high confidence to maintain a DPRK nexus, UNC1069 demonstrated expanded tooling and social engineering sophistication in this operation.
The intrusion commenced with social engineering conducted through a compromised Telegram account belonging to a cryptocurrency executive. After establishing contact, the actor forwarded a Calendly scheduling link that redirected to a spoofed Zoom domain under their control. During the call, the victim observed what appeared to be a deepfake video of another cryptocurrency CEO, simulating audio difficulties to justify a ClickFix ruse. Instructions delivered via a malicious webpage prompted execution of commands tailored for macOS or Windows, embedding the infection trigger.
On the macOS victim system, the commands downloaded and executed an initial payload, leading to AppleScript activity followed by deployment of a packed C++ backdoor designated WAVESHAPER. This component acted as an entry point, facilitating deployment of HYPERCALL, a Go-language downloader that reflectively loads dynamic libraries from C2 servers after RC4 decryption of configuration data. HYPERCALL delivered HIDDENCALL (a Golang backdoor providing interactive access), SUGARLOADER (a known C++ downloader), and SILENCELIFT (a minimal C/C++ beacon collecting host details).
Further tooling expanded data collection capabilities. DEEPBREATH, implemented in Swift, bypassed macOS TCC protections by staging and modifying the TCC database through Finder's Full Disk Access privileges, granting unauthorized access to steal Keychain credentials, browser artifacts from Chrome, Brave, and Edge, Telegram databases, and Apple Notes content. Stolen items were archived into ZIP files and exfiltrated using curl.
SUGARLOADER, configured with an RC4-encrypted file and persistence via a launch daemon masquerading as a system updater, exclusively deployed CHROMEPUSH. Written in C++, CHROMEPUSH installed itself as a native messaging host disguised as a Google Docs offline extension, targeting Chromium browsers to log keystrokes, capture credentials, extract cookies, and potentially record screenshots before exfiltrating via HTTP POST.
Forensic analysis benefited from macOS XProtect Behavioral Service logs in the XPdb database, which captured violations and timestamps for deleted malware, enabling reconstruction of the sequence absent EDR coverage.
UNC1069's shift toward Web3 targeting since 2023 has included cryptocurrency exchanges, developers, and venture capital personnel, with increasing integration of AI tools for reconnaissance, tooling development, and lure creation. This incident underscores the group's determination to maximize credential and session data harvested from individual high-value targets to support financial theft and identity-based follow-on campaigns.
Who is UNC1069?
UNC1069, also known as CryptoCore and MASAN, is a financially motivated threat actor, suspected with high confidence to have a North Korea nexus. The group has been active since at least 2018 and has shifted focus to targeting the cryptocurrency sector, including startups, software developers, venture capital firms, and related fintech entities, using sophisticated social engineering tactics such as compromised Telegram accounts, fake Zoom meetings, ClickFix infection vectors, and AI-generated videos/deepfakes to deploy malware for credential theft, browser data harvesting, and facilitation of financial theft.
IOCs
PolySwarm has multiple samples associated with this activity.
SUGARLOADER
1a30d6cdb0b98feed62563be8050db55ae0156ed437701d36a7b46aabf086ede
Click here to view all samples of SUGARLOADER in our PolySwarm portal.
WAVESHAPER
B525837273dde06b86b5f93f9aec2c29665324105b0b66f6df81884754f8080d
Click here to view all samples of WAVESHAPER in our PolySwarm portal.
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
