Comprehensive Threat Exposure Management Platform
UNC1069 (also known as CryptoCore and MASAN), a financially motivated North Korea-linked advanced persistent threat (APT) actor active since 2018, has conducted a sophisticated targeted intrusion against a financial technology (FinTech) entity operating within the cryptocurrency sector. This UNC1069 cyberattack leveraged a multi-stage social engineering campaign combining a compromised Telegram account, an AI-generated deepfake video in a spoofed Zoom meeting, and a ClickFix infection vector to manipulate victims into executing malicious commands. The UNC1069 cryptocurrency attack resulted in the deployment of seven distinct malware families — WAVESHAPER, SUGARLOADER, SILENCELIFT, HYPERCALL, DEEPBREATH, HIDDENCALL, and CHROMEPUSH — engineered to harvest credentials, browser data, messaging content, and session tokens to facilitate large-scale cryptocurrency theft.
Stage 1 – Initial Contact via Compromised Telegram Account and Deepfake Zoom Lure The UNC1069 social engineering attack began through a hijacked executive Telegram account. After building brief rapport, the victim received a Calendly scheduling link leading to a counterfeit Zoom meeting page hosted by the attacker. During the call, a fabricated AI-generated deepfake video of a cryptocurrency CEO was used to reinforce legitimacy. UNC1069 relied on generative AI tools to prepare scripts, visuals, and operational research, highlighting the growing threat of AI-powered social engineering in the cryptocurrency sector.
Stage 2 – ClickFix Infection Vector and WAVESHAPER Backdoor Deployment The attacker staged audio problems during the call and guided the victim through troubleshooting commands — a technique known as ClickFix. On macOS, a payload was fetched through shell piping; on Windows, mshta (a Living-off-the-Land Binary/LOLBin) executed the same malicious file. An AppleScript event marked the infection chain entry point, leading to the deployment of WAVESHAPER, a macOS C++ backdoor that collected host identifiers, hardware details, and running processes and transmitted them to attacker-controlled command-and-control (C2) servers.
Stage 3 – HYPERCALL Downloader and Secondary Malware Deployment WAVESHAPER installed HYPERCALL, a Go-based downloader that retrieved additional malware components. HIDDENCALL enabled direct remote control of the compromised system. SUGARLOADER established persistent access through a macOS launch daemon. SILENCELIFT transmitted system status information and could disrupt Telegram communications when executed with root privileges.
Stage 4 – Credential Harvesting and Data Exfiltration via DEEPBREATH DEEPBREATH bypassed macOS Transparency, Consent, and Control (TCC) privacy protections by abusing full disk permissions obtained through Apple Finder access. It extracted iCloud Keychain credentials, browser data from Google Chrome, Brave, and Microsoft Edge, along with Telegram files and Apple Notes databases. All collected data was compressed and exfiltrated to a remote attacker-controlled server.
Stage 5 – Browser-Based Credential Theft via CHROMEPUSH CHROMEPUSH, delivered by SUGARLOADER, masqueraded as a Google Docs offline browser extension and persisted as a native messaging host within Chromium-based browsers. It logged keystrokes, captured credentials, extracted cookies, and continuously uploaded stolen information to the attacker’s infrastructure.
Restrict Unsigned Script Execution on macOS: Configure macOS systems to prevent unauthorized AppleScript and shell script execution. Enforce Gatekeeper policies and restrict curl-to-shell piping through endpoint security policies to block ClickFix-style infection vectors used by UNC1069.
Audit macOS Launch Daemons and Agents: Regularly inspect /Library/LaunchDaemons/ and /Library/LaunchAgents/ directories for unauthorized plist files, particularly those mimicking Apple naming conventions such as com.apple.system.updater.plist associated with SUGARLOADER persistence.
Monitor TCC Database Integrity: Implement monitoring for unauthorized modifications to the macOS TCC database (TCC.db). Alert on any process that stages, copies, or modifies the TCC folder outside of normal user consent workflows — a key indicator of DEEPBREATH activity.
Inspect Chrome Native Messaging Hosts: Audit NativeMessagingHosts directories under Google Chrome, Brave, and other Chromium-based browsers for unauthorized extensions or manifest files such as com.google.docs.offline.json used by CHROMEPUSH.
Enforce Meeting Link Verification Policies: Train employees — especially those in cryptocurrency, FinTech, and financial services roles — to verify meeting links received via Telegram or other messaging platforms. Establish secondary verification procedures before clicking any scheduling or meeting links.
Monitor for Anomalous Curl and WebSocket Activity: Deploy detection rules for suspicious curl commands (e.g., using “audio” as a user agent), curl-to-shell piping, and WebSocket connections to unknown domains on TCP port 443 — all hallmarks of UNC1069 C2 communication.
Reset Credentials and Session Tokens Post-Incident: Upon suspected compromise, immediately reset all iCloud Keychain credentials, browser-stored passwords, Telegram session data, and Apple Notes data. Revoke and rotate all cryptocurrency wallet keys and API tokens.
Strengthen Anti-Deepfake Awareness Training: Conduct targeted security awareness training focused on AI-generated deepfake video and audio social engineering attacks, particularly for employees in cryptocurrency, finance, and venture capital sectors.
Enable XProtect Behavioral Service Monitoring: Leverage macOS XProtect Behavioral Service (XBS) by monitoring the XPdb SQLite database at /var/protected/xprotect/XPdb for behavioral violations that may indicate malware execution linked to UNC1069.
Restrict mshta Execution on Windows: Block or monitor mshta.exe execution through application control policies, as UNC1069 uses this LOLBin as part of the Windows infection chain.
Domains: mylingocoin[.]com, zoom[.]uswe05[.]us, breakdream[.]com, dreamdie[.]com, support-zoom[.]us, supportzm[.]com, zmsupport[.]com, cmailer[.]pro
URLs: hxxp[:]//mylingocoin[.]com/audio/fix/6454694440 hxxp[:]//cmailer[.]pro[:]80/upload
SHA256 Hashes: b452C2da7c012eda25a1403b3313444b5eb7C2c3e25eee489f1bd256f8434735 1a30d6cdb0b98feed62563be8050db55ae0156ed437701d36a7b46aabf086ede b525837273dde06b86b5f93f9aeC2C29665324105b0b66f6df81884754f8080d c8f7608d4e19f6cb03680941bbd09fe969668bcb09c7ca985048a22e014dffcd 603848f37ab932dccef98ee27e3c5af9221d3b6ccfe457ccf93cb572495ac325 c3e5d878a30a6c46e22d1dd2089b32086c91f13f8b9c413aa84e1dbaa03b9375 03f00a143b8929585c122d490b6a3895d639c17d92C2223917e3a9ca1b8d30f9
File Paths: /Library/Caches/System Settings, /Library/OSRecovery/SystemUpdater, /Library/Caches/com.apple.mond, /Library/SystemSettings/com.apple.system.settings, /Library/Fonts/com.apple.logd, /Library/SystemSettings/.CacheLogs.db, /Library/LaunchDaemons/com.apple.system.updater.plist, /Library/OSRecovery/com.apple.os.config, /Library/Caches/.Logs.db
| Tactic | Technique | Sub-Technique |
|---|---|---|
| Initial Access | T1566: Phishing | T1566.003: Spearphishing via Service / T1566.004: Spearphishing Voice |
| Execution | T1204: User Execution | T1204.002: Malicious File |
| Execution | T1059: Command and Scripting Interpreter | T1059.004: Unix Shell / T1059.002: AppleScript |
| Execution | T1218: System Binary Proxy Execution | T1218.005: Mshta |
| Persistence | T1543: Create or Modify System Process | T1543.004: Launch Daemon |
| Persistence | T1176: Browser Extensions | — |
| Defense Evasion | T1027: Obfuscated Files or Information | T1027.002: Software Packing |
| Defense Evasion | T1620: Reflective Code Loading | — |
| Defense Evasion | T1036: Masquerading | T1036.005: Match Legitimate Name or Location |
| Credential Access | T1555: Credentials from Password Stores | T1555.001: Keychain / T1555.003: Credentials from Web Browsers |
| Credential Access | T1056: Input Capture | T1056.001: Keylogging |
| Collection | T1005: Data from Local System | — |
| Collection | T1185: Browser Session Hijacking | — |
| Collection | T1074: Data Staged | T1074.001: Local Data Staging |
| Exfiltration | T1041: Exfiltration Over C2 Channel | — |
| Command and Control | T1071: Application Layer Protocol | T1071.001: Web Protocols / T1071.004: DNS |
| Command and Control | T1102: Web Service | — |
Get through updates and upcoming events, and more directly in your inbox