UNC1069 the threat that IA uses and videos generated to steal crypt and credentials

A group linked to North Korea, known in the cybersecurity community as UNC1069 - also traced under the names CryptoCore and MASAN - has intensified its efforts against the cryptomoneda ecosystem using very sophisticated social engineering tactics combined with modern tools such as artificial generative intelligence. According to the Google and Mandiant threat intelligence team, these operations do not seek only timely access: they are designed to obtain credentials, session tokens and material that allow the diversion of digital funds directly or indirectly. The concern is twofold: on the one hand the accuracy of the lures and on the other the variety of malicious loads that can fall on a compromised machine. For the Google / Mandiant report see the technical note on the Google Cloud blog: UNC1069 targets cryptocurrency, AI@-@ enabled social engineering.

The modus operandi described by analysts begins with a contact by Telegram. The attackers, sometimes using legitimate committed accounts, pose as investors or founders and propose a meeting. To close the appointment they use legitimate tools such as Calendly; the invitation contains a link that redirects to a page that imitates Zoom. This link does not lead to a secure meeting, but to a web-based trapper that reproduces a video-based interface and in many cases shows a video that appears to be the interlocutor. Previous research has documented the use of audio-visual material generated by IA or reused recordings to strengthen the illusion of a live session.

When the victim "enters" that false room, he is asked to light the camera and confirm his identity. Then a technical pretext - a supposed audio failure - appears and a wizard on the page offers a quick solution: run a command or installer to fix the problem. That step is the trap that unfolds malware. In macOS the vector leads to an AppleScript that downloads a Mach-O binary; in Windows the flow turns to executables and downloads that serve as a gateway to a complete chain of malicious tools.

Mandiant researchers detected up to seven different families of malware in a single intrusion, many of them new to the group's repertoire. With names like WAVESHAPER, HYPERCALL, HIDDENCALL, DEEPBREATH, SUGARLOADER, CHROMEPUSH and SILENCELIFT, the infrastructure combines C + + and Go, backdoors that allow remote control and specific components for macos and browser extensions. The scheme is clear: first a download is installed, then backdoors are articulated that allow direct access and finally modules designed to exfilter credentials and sensitive data are run.

In particular, DEEPBREATH stands out for its ability to manipulate the MacOS Permission Database (TCC) in order to access protected elements such as the iCloud key, as well as browser data (cookies, passwords) and applications such as Telegram or Apple Notes. CHROMEPUSH, for its part, acts as a malicious extension that is installed in browsers such as Chrome and Brave pretending to be an offline editor of Google Docs; its function includes key registration, user entry capture and cookie theft to kidnap sessions. In other words, the combination of these components facilitates both the direct theft of private keys or credentials and the abduction of sessions to move digital assets.

One of the reasons why these attacks have attracted so much attention is the use of social engineering techniques enhanced by IA. Google has pointed out the use of generative models - such as those offered by its own platform - to create approach messages, play credible voices or faces, and even to try to write code capable of extracting assets. This use of the IA reduces the cost and increases the scale of lures, making executives, developers and security teams even more vulnerable. For those who want to deepen on how state actors are incorporating modern tools, the Mandiant file offers additional resources and reports: Mandiant resources.

The potential impact is particularly dangerous for companies and professionals in the critical world. A single compromised browser or a stolen session cookie can allow an attacker to access centralized exchange platforms (CEX), portfolio management interfaces or service accounts that keep access keys. In addition, the practice of reusing recordings of previous victims - documented by different suppliers as a method of deception - adds a powerful psychological layer: seeing "a known face" or hearing "the voice of someone real" reduces suspicion and increases the confidence of those receiving the invitation. Kaspersky and other suppliers have reported campaigns in this style in which the video replay exactly served to convince more victims; more information on specialized channels such as Kaspersky's blog: Kaspersky Security Blog.

What can companies and professionals do to mitigate risk? First, check the origin of any invitation to meet, especially if it comes through channels such as Telegram or if it includes apparent readdresses to third-party services. Do not run commands coming from a dubious website or install tools without checking the signature and origin. In macOS it is appropriate to review the TCC permissions regularly, limit access to the key chain and use passwords and authentication in two robust factors; in the critical world it is recommended to separate the devices that store keys from those used for communication and navigation, and prioritize physical keys for 2FA where possible. Endpoints and network telemetry detection tools that identify abnormal behaviors - unusual downloads, outgoing connections to C2 servers, unauthorised extension installation - are another important barrier. For general guidelines on defensive measures and how to respond to intrusions, public cybersecurity agencies offer useful guides, starting on the CISA website: CISA.

Beyond immediate action, these cases highlight a greater trend: the security industry no longer runs only behind technical exploits; the adversaries combine psychological engineering, legitimate platforms and IA automation to create highly credible attacks. The response requires not only patches and detection, but continuing education, strict identity controls and a layer security approach that reduces the attack surface in financial and development environments.

If you work on a critical startup, a risk capital firm or development teams that interact with digital assets, it is appropriate to take this alert as a reminder: it is valid invitations, distrust of shortcuts that ask to run external tools and separate your critical assets into devices and processes that you do not use for daily tasks. The threat is real and evolves quickly; keeping informed and applying basic controls can make the difference between avoiding intrusion and suffering an asset theft.