Mandiant, which operates under Google Cloud, has identified an escalating North Korea-linked cyber campaign targeting cryptocurrency and fintech firms with advanced malware and AI-enabled social engineering.
The threat cluster, tracked as UNC1069, deployed seven distinct malware families designed to harvest and exfiltrate sensitive data, marking a significant expansion of activity first monitored by Mandiant in 2018.
“This investigation revealed a tailored intrusion resulting in the deployment of seven unique malware families, including a new set of tooling designed to capture host and victim data: SILENCELIFT, DEEPBREATH and CHROMEPUSH,”
Mandiant said in its report.
The campaign leveraged compromised Telegram accounts and staged fake Zoom meetings featuring AI-generated deepfake videos, with victims tricked into running hidden commands in so-called ClickFix attacks.
Two newly identified malware strains, CHROMEPUSH and DEEPBREATH, were engineered to bypass key operating system protections and extract personal data, and following the announcement the Alphabet share price was unchanged at $XX.