The campaign used a compromised Telegram account, a fake Zoom meeting, and AI-assisted deception to trick victims into executing terminal commands leading to a macOS infection chain.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

North Korean threat actor UNC1069 is targeting cryptocurrency organizations with a sophisticated social engineering attack that combines ClickFix tactics with multiple custom macOS backdoors. The campaign uses compromised Telegram accounts, fake Zoom meetings with AI-generated video, and tricks victims into executing malicious terminal commands. Once access is gained, attackers deploy a multi-stage malware stack including previously undocumented tools like WAVESHAPER, HYPERCALL, and DEEPBREATH that bypass macOS security mechanisms to steal sensitive data, browser credentials, and keychain material.

North Korean actors blend ClickFix with new macOS backdoors in Crypto campaign