North Korean hackers, tracked as UNC1069 by Google's Mandiant, have deployed sophisticated new macOS malware in targeted cryptocurrency theft campaigns. These attacks leverage AI-generated deepfake videos and social engineering via Telegram to trick victims into executing malicious commands. The operation, uncovered during an investigation into a fintech company breach, highlights the evolving threat to macOS users in the crypto sector.
The malicious campaign begins with hackers compromising a legitimate Telegram account from a crypto executive to build rapport with targets. They direct victims to a spoofed Calendly link leading to a fake Zoom page hosting a deepfake CEO video call. Posing as audio troubleshooting, attackers guide users to run ClickFix-style commands from a webpage, tailored for both macOS and Windows, initiating payload deployment.
Mandiant identified seven distinct macOS malware families in the chain, starting with AppleScript and a malicious Mach-O binary. Key tools include WAVESHAPER, a C++ backdoor for system reconnaissance and C2 communication; HYPERCALL and HIDDENCALL, Golang loaders and backdoors enabling remote access; and SILENCELIFT, a minimal backdoor disrupting Telegram on rooted systems. Newer implants like DEEPBREATH, a Swift data miner bypassing TCC protections to steal keychain, browser, and Telegram data, underscore the attack's breadth.
Additional malware such as SUGARLOADER, a persistent C++ downloader, and CHROMEPUSH, a Chromium extension stealer harvesting credentials and keystrokes, maximize data exfiltration. This unusually high volume of payloads on a single host aims at crypto theft and future social engineering using stolen identities. Detection remains low, with only SUGARLOADER and WAVESHAPER showing VirusTotal flags, emphasizing stealth.
UNC1069, active since 2018, shifted from Web3 targets in 2023 to financial services and crypto infrastructure last year. Similar tactics were seen in 2025 BlueNoroff attacks, but this campaign introduces novel tools amid North Korea's growing macOS focus. Crypto firms must prioritize endpoint detection, deepfake awareness training, and TCC hardening to counter these persistent threats.