North Korean UNC1069 APT Hacks Crypto Pros With Fake Zoom, Teams Meetings
Key Takeaways A North Korean state-sponsored advanced persistent threat (APT) group, UNC1069, is actively targeting cryptocurrency and Web3 professionals. The attackers use highly sophisticated...
Key Takeaways
- A North Korean state-sponsored advanced persistent threat (APT) group, UNC1069, is actively targeting cryptocurrency and Web3 professionals.
- The attackers use highly sophisticated social engineering, including fake video conferencing platforms (Zoom, Google Meet, Microsoft Teams) and deepfake executives, to deliver malware.
- The campaign aims to steal cryptocurrency and other assets, with proceeds likely funding North Korea’s illicit weapons programs.
- Victims are tricked into executing malicious PowerShell or other scripts, leading to the installation of Cabbage RAT (also known as CageyChameleon).
North Korean APT UNC1069 Weaponizes Fake Video Meetings to Target Crypto Professionals
A highly sophisticated campaign orchestrated by UNC1069, an advanced persistent threat (APT) group with ties to North Korea, is actively compromising cryptocurrency and Web3 industry professionals. The financially motivated operation leverages deceptive video conferencing tactics to infiltrate target systems, with intelligence suggesting the stolen funds directly support North Korea’s missile, nuclear, and espionage initiatives.
Table Of Content
The attackers initiate contact through platforms such as LinkedIn and Telegram, frequently employing previously compromised accounts to enhance their credibility. Following initial engagement, they distribute scheduling links via Calendly, directing victims to join meetings on meticulously crafted imitation platforms that convincingly mimic legitimate services like Zoom, Google Meet, and Microsoft Teams. These fraudulent environments are so convincing that they include live participation from the attackers themselves, and in some instances, even incorporate deepfake video footage of real executives to build trust before deploying their malicious payloads.
Upon joining a fake meeting, victims are informed that their microphone or camera is malfunctioning. The attackers then create a sense of urgency, pressuring the victim to resolve the perceived technical issue immediately. When the victim attempts to activate their audio or video, a “ClickFix”-style prompt appears, instructing them to copy and execute a specific piece of code. This critical step facilitates the malware’s entry into the system, establishing a persistent foothold on the victim’s device.
Validin Researchers Uncover Attack Chain and Malware Variants
Validin researchers meticulously analyzed the complete attack chain in April 2026, uncovering the extensive scale and technical sophistication of the supporting infrastructure. Their findings indicate that the malicious payloads are custom-built for the victim’s specific operating system, whether Windows, macOS, or Linux. The malware deployed appears to be updated iterations of Cabbage RAT, also known as CageyChameleon.
Furthermore, the research established a connection between UNC1069 and the recent Axios NPM package compromise. It also highlighted significant overlaps with the Bluenoroff threat cluster, which Mandiant had previously documented. The campaign’s ramifications extend beyond mere system compromise; the fake meeting platforms also exploit the browser’s navigator.mediaDevices.getUserMedia API to capture victims’ audio and video in real-time. This sensitive data is then streamed to attacker-controlled servers via WebRTC and WebSocket channels, with the recorded footage subsequently repurposed in future social engineering campaigns to impersonate real individuals, making subsequent attacks even more challenging to detect.
Infection Vector on Windows Systems
For Windows systems, the “ClickFix” prompt directs victims to press Win + X, followed by “A,” to open an administrative terminal. They are then instructed to paste and execute a series of commands. These commands download two distinct PowerShell scripts from adversary-controlled servers. The initial script retrieves a VBScript file, writes it to the temporary directory, and executes it twice using wscript.exe. Concurrently, it adds the C:Users directory to Windows Defender’s exclusion list and restarts the WinDefend service to suppress security alerts.
The VBScript payload is an enhanced variant of Cabbage RAT. It commences by gathering comprehensive system details, including the current username, hostname, operating system version, and installed browser extensions. Notably, the inclusion of Google Chrome extension collection represents a new capability specifically designed to identify installed cryptocurrency wallet extensions. A significant modification in this version is the creation of a .lnk shortcut file within the Windows Startup folder, ensuring the malware executes automatically upon user login.
The RAT maintains communication with its command-and-control server, transmitting host data and awaiting specific coded responses: a “20” code triggers the deployment of a secondary encrypted payload, “21” terminates execution, and “22” functions as a keep-alive signal.
What You Should Do
- Exercise Extreme Caution with Unsolicited Meeting Requests: Verify the identity of meeting organizers through independent, trusted out-of-band channels (e.g., a known phone number or official email address) before joining any video conference, especially if it’s from a new contact or involves financial discussions.
- Never Execute Unsolicited Commands: Treat any request to run terminal commands or scripts during a video call as a critical red flag. Legitimate collaboration platforms do not require users to perform such actions to enable basic audio/video functionality.
- Monitor for Suspicious Activity: Security teams should actively monitor for unsigned scripts executing from temporary directories, unexpected additions to Windows Defender exclusion lists, and suspicious outbound network connections to domains mimicking legitimate video conferencing services (e.g., variations of Zoom, Google Meet, or Microsoft Teams URLs).
- Educate Employees: Conduct regular cybersecurity awareness training for all employees, particularly those in the cryptocurrency and Web3 sectors, on advanced social engineering tactics, phishing, and the dangers of executing untrusted code.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.