- Mandiant Reports UNC1069 Using Compromised Telegram, Fake Zoom Calls, and Deepfake Videos
- Victims tricked into installing malware package including WAVESHAPER, HYPERCALL and SUGARLOADER
- North Korean actors target cryptocurrency companies and continue state-linked theft campaigns like Lazarus and TraderTraitor.
North Korean cybercriminals appear to be upping their game, with new reports from Mandiant claiming that hackers are now using a combination of compromised Telegram accounts, fake Zoom calls, deepfake videos, and half a dozen strains of malware.
This evil concoction was apparently used against organizations in the cryptocurrency sector, with the aim of stealing their cryptocurrency stacks.
In its report, Mandiant said it observed a group tracked as UNC1069 using this advanced technique. The attack begins with a compromised Telegram account of a CEO or similar high-level executive. The account is then used to start a conversation with the victim and, after a short exchange, invite them to a Zoom call.
failed attack
But the call is not legitimate. It is a fake Zoom meeting, hosted on the threat actor’s infrastructure – zoom[.]uswe05[.]us. In the call, victims are shown a fake video of the CEO being impersonated, which claims that the victim’s audio is not working and that they should fix it.
Finally, in traditional ClickFix fashion, victims are presented with a solution that, instead of “fixing” the non-existent error, deploys a host of malware: WAVESHAPER, HYPERCALL, HIDENCALL, SUGARLOADER, SILENCELIFT, DEEPBREATH, and CHROMEPUSH.
Together, these tools form a multi-stage infection chain that allows persistence, credential harvesting, browser data theft, and long-term access.
UNC1069 is not a widely recognized threat actor. However, since UNC stands for Uncategorized (or Unclassified), it could simply mean that a previously observed threat actor changed their infrastructure or technique and has not yet been properly attributed.
North Korean actors are famous for attacking crypto companies. Some of the biggest heists have been attributed to state-sponsored groups like Lazarus, and these collectives are often tasked with stealing cryptocurrencies through which the country funds its weapons program and state apparatus.
The largest cryptocurrency theft ever recorded was the February 21, 2025 hack of the Dubai-based Bybit exchange, in which around 1.5 billion in ether-related assets were stolen from a cold wallet. Analysts and law enforcement have linked the attack to cybercriminal groups linked to the North Korean state, including Lazarus Group and TraderTraitor.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
