UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering
Essential information
- Published
- 09/02/2026 19:29
- Modified
- 12/02/2026 15:22
- Tags
- 2026-02-09 ai chromepush cryptocurrency deepbreath hiddencall hypercall macos malware north korea silencelift social engineering sugarloader waveshaper web3
- Related entities
- 15 observables, 1 intrusion sets (apt), 12 techniques (mitre), 10 others
Description
North Korean threat actor UNC1069 has evolved its tactics to target the cryptocurrency and decentralized finance sectors. In a recent intrusion, they deployed seven unique malware families, including new tools SILENCELIFT, DEEPBREATH, and CHROMEPUSH, designed to capture host and victim data. The attack utilized social engineering involving a compromised Telegram account, fake Zoom meeting, and reported AI-generated video. UNC1069 has shifted from spear-phishing to targeting Web3 industry entities like centralized exchanges, software developers, and venture capital firms. The intrusion demonstrated sophisticated techniques to bypass macOS security features and harvest credentials, browser data, and cryptocurrency information. This marks a significant expansion in UNC1069's capabilities and highlights their focus on financial theft and fueling future social engineering campaigns.