The North Korea-linked group UNC1069 is targeting the cryptocurrency industry through elaborate social engineering tactics on platforms like Telegram to steal data from Windows and macOS users. By utilizing artificial intelligence to create deceptive lures and fake meeting invitations, the threat actor aims to facilitate large-scale financial theft.

The threat actor known as UNC1069 has been active for several years and is recognized by the security community for its persistent focus on financial gain through digital deception. Recently, researchers observed the group utilizing a sophisticated social engineering scheme that involved compromised Telegram accounts and fake Zoom meetings to infect victims. This campaign stands out for its reported use of AI-generated video and the ClickFix infection vector to trick individuals into compromising their own systems.

Since at least 2018, this group has built a reputation for posing as reputable investors or entrepreneurs to gain the trust of their targets. While they previously focused on traditional financial institutions, they have recently pivoted toward the Web3 sector, including centralized exchanges and venture capital firms. Their methods have evolved from standard spear-phishing to more complex interactions that involve scheduling legitimate-looking appointments through services like Calendly.

Artificial intelligence has become a cornerstone of the group's modern toolkit, with reports indicating they use generative tools to craft convincing messaging and lure materials. Beyond just text, the group has attempted to use these technologies to develop malicious code and create deepfake images or videos. These deepfakes often mimic well-known figures in the cryptocurrency space to add an air of authenticity to their fraudulent interactions.

The technical side of these attacks involves the distribution of specialized backdoors and malware hidden within files disguised as legitimate software development kits. In recent intrusions, security teams have identified at least seven unique malware families being deployed against targets. These include newly discovered tools designed to maintain access to a victim's machine and facilitate the eventual theft of digital assets.

The typical attack begins with a direct message on Telegram, where the threat actor impersonates a venture capitalist or a founder to initiate a professional conversation. Once a victim agrees to a meeting, they are directed toward a malicious environment where the malware is delivered under the guise of technical requirements for the call. This high-touch approach allows the group to bypass traditional security filters by building a rapport with the victim before the payload is ever delivered.

Source: North Korea–Linked UNC1069 Uses AI Lures Against Cryptocurrency Firms