North Korean Hackers Deploy New macOS Malware in Sophisticated Crypto-Theft Campaign

North Korean hackers are running tailored campaigns using AI-generated video and the ClickFix technique to deliver malware for macOS and Windows to targets in the cryptocurrency sector. The threat actor's goal is financial, as suggested by the role of the tools used in an attack on a fintech company investigated by Google's Mandiant researchers.

During the response engagement, the researchers found seven distinct macOS malware families and attributed the attack to UNC1069, a threat group they've been tracking since 2018.

Infection Chain

The attack had a strong social engineering component as the victim was contacted over the Telegram messaging service from a compromised account of an executive at a cryptocurrency company. After building a rapport, the hackers shared a Calendly link that took the victim to a spoofed Zoom meeting page on the attacker's infrastructure.

According to the target, the hackers showed a deepfake video of a CEO at another cryptocurrency company.

"Once in the 'meeting,' the fake video call facilitated a ruse that gave the impression to the end user that they were experiencing audio issues," Mandiant researchers say. Under this pretext, the attacker instructed the victim to troubleshoot the problems using commands present on a webpage.

Mandiant found commands on the page for both Windows and macOS that would start the infection chain. Huntress researchers documented a similar attack method in mid-2025 and attributed it to the BlueNoroff group, another North Korean adversary also known as Sapphire Sleet and TA44, that targeted macOS systems using a different set of payloads.

macOS Malware Arsenal

Mandiant researcher found evidence of AppleScript execution once the infection chain started, but could not recover the contents of the payload, followed by deploying a malicious Mach-O binary. In the next stage, the attacker executed seven distinct malware families:

WAVESHAPER – C++ backdoor that runs as a background daemon, collects host system information, communicates with C2 over HTTP/HTTPS using curl, and downloads and executes follow-on payloads.

HYPERCALL – Golang-based downloader that reads an RC4-encrypted configuration file, connects to C2 over WebSockets on TCP 443, downloads malicious dynamic libraries, and reflectively loads them into memory.

HIDDENCALL – Golang-based backdoor reflectively injected by HYPERCALL that provides hands-on keyboard access, supports command execution and file operations, and deploys additional malware.

SILENCELIFT – Minimal C/C++ backdoor that beacons host information and lock screen status to a hard-coded C2 server and can interrupt Telegram communications when executed with root privileges.

DEEPBREATH – Swift-based data miner deployed via HIDDENCALL that bypasses macOS TCC protections by modifying the TCC database to gain broad filesystem access and steals keychain credentials, browser data, Telegram data, and Apple Notes data.

SUGARLOADER – C++ downloader that uses an RC4-encrypted configuration to retrieve next-stage payloads and was made persistent via a manually created launch daemon.

CHROMEPUSH – C++ browser data miner deployed by SUGARLOADER that installs as a Chromium native messaging host masquerading as a Google Docs Offline extension and collects keystrokes, credentials, cookies, and optionally screenshots.

Of the malware found, SUGARLOADER has the most detections on the VirusTotal scanning platform, followed by WAVESHAPER, which is flagged by just two products. The rest are not present in the platform's malware database.

Mandiant says that SILENCELIFT, DEEPBREATH, and CHROMEPUSH represent a new set of tooling for the threat actor. The researchers describe as unusual the volume of malware deployed on a host against a single individual.

This confirms a targeted attack focused on collecting as much data as possible for two reasons: "cryptocurrency theft and fueling future social engineering campaigns by leveraging victim's identity and data," Mandiant says.

Evolution of UNC1069

Since 2018, UNC1069 has demonstrated its ability to evolve by adopting new techniques and tools. In 2023, the bad actor switched to targets in the Web3 industry (centralized exchanges, developers, venture capital funds). Last year, the threat actor changed its target to financial services and the cryptocurrency industry in verticals such as payments, brokerage, and wallet infrastructure.

This latest campaign showcases the group's sophistication in combining multiple attack vectors:

• AI-generated deepfake videos for social engineering
• ClickFix technique to trick victims into executing commands
• Multi-stage malware deployment across seven distinct families
• Cross-platform targeting (macOS and Windows)
• Persistence mechanisms and data exfiltration capabilities

The use of deepfake technology represents a significant escalation in social engineering tactics, making it increasingly difficult for targets to verify the authenticity of video communications. Combined with the ClickFix technique, which exploits user trust in troubleshooting procedures, these attacks demonstrate how North Korean threat actors continue to innovate in their pursuit of cryptocurrency assets.

Organizations in the cryptocurrency and financial services sectors should implement enhanced verification procedures for video communications, provide security awareness training on social engineering tactics, and deploy endpoint detection and response solutions capable of identifying multi-stage malware deployments.