North Korean threat actors target the cryptocurrency industry using AI-enabled social engineering such as deepfakes, and ClickFix.

Google Cloud Platform provides a suite of cloud computing services for building, deploying, and managing applications and infrastructure on Google's global network. Developers can learn about cloud-native development, machine learning, and big data analytics to leverage GCP's scalable and reliable cloud infrastructure for their projects.

Google Cloud

North Korean threat actor UNC1069 conducted a sophisticated attack against a FinTech entity using AI-generated deepfake video, compromised Telegram accounts, and fake Zoom meetings to deploy seven malware families. The attack chain included WAVESHAPER backdoor, HYPERCALL downloader, HIDDENCALL backdoor, and new tools SILENCELIFT, DEEPBREATH, and CHROMEPUSH designed to harvest credentials, browser data, session tokens, and cryptocurrency wallet information. DEEPBREATH bypassed macOS TCC protections by manipulating the security database, while CHROMEPUSH installed malicious browser extensions to capture keystrokes and cookies. The intrusion demonstrates UNC1069's evolution from traditional spear-phishing to AI-enabled social engineering and ClickFix infection vectors targeting cryptocurrency sector employees and executives.

UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering