North Korean hackers are running tailored campaigns using AI-generated video and the ClickFix technique to deliver malware for macOS and Windows to targets in the cryptocurrency sector.
The threat actor's goal is financial, as suggested by the role of the tools used in an attack on a fintech company investigated by Google's Mandiant researchers.
During the response engagement, the researchers found seven distinct macOS malware families and attributed the attack to UNC1069, a threat group they've been tracking since 2018.
Infection chain
The attack had a strong social engineering component as the victim was contacted over the Telegram messaging service from a compromised account of an executive at a cryptocurrency company.
After building a rapport, the hackers shared a Calendly link that took the victim to a spoofed Zoom meeting page on the attacker's infrastructure.
According to the target, the hackers showed a deepfake video of a CEO at another cryptocurrency company.
"Once in the 'meeting,' the fake video call facilitated a ruse that gave the impression to the end user that they were experiencing audio issues," Mandiant researchers say.
Under this pretext, the attacker instructed the victim to troubleshoot the problems using commands present on a webpage. Mandiant found commands on the page for both Windows and macOS that would start the infection chain.
Huntress researchers documented a similar attack method in mid-2025 and attributed it to the BlueNoroff group, another North Korean adversary also known as Sapphire Sleet and TA44, that targeted macOS systems using a different set of payloads.
... continue reading