North Korean hackers use new macOS malware in crypto-theft attacks
North Korean hackers are running tailored campaigns using AI-generated video and the ClickFix technique to deliver malware for macOS and Windows to targets in the cryptocurrency sector.
The threat actor's goal is financial, as suggested by the role of the tools used in an attack on a fintech company investigated by Google's Mandiant researchers.
During the response engagement, the researchers found seven distinct macOS malware families and attributed the attack to UNC1069, a threat group they've been tracking since 2018.
Infection chain
The attack had a strong social engineering component as the victim was contacted over the Telegram messaging service from a compromised account of an executive at a cryptocurrency company.
After building a rapport, the hackers shared a Calendly link that took the victim to a spoofed Zoom meeting page on the attacker's infrastructure.
According to the target, the hackers showed a deepfake video of a CEO at another cryptocurrency company.
"Once in the 'meeting,' the fake video call facilitated a ruse that gave the impression to the end user that they were experiencing audio issues," Mandiant .
Under this pretext, the attacker instructed the victim to troubleshoot the problems using commands present on a webpage. Mandiant found commands on the page for both Windows and macOS that would start the infection chain.
Huntress researchers documented a in mid-2025 and attributed it to the BlueNoroff group, another North Korean adversary also known as Sapphire Sleet and TA44, that targeted macOS systems using a different set of payloads.
macOS malware
Mandiant researcher found evidence of AppleScript execution once the infection chain started, but could not recover the contents of the payload, followed by deploying a malicious Mach-O binary. In the next stage, the attacker executed seven distinct malware families:
$1
$1
$1
$1
$1
$1
$1
.jpg)
Overview of the attack chain
Source: Mandiant
Of the malware found, SUGARLOADER has the most detections on the VirusTotal scanning platform, followed by WAVESHAPER, which is flagged by just two products. The rest are not present in the platform's malware database.
Mandiant says that SILENCELIFT, DEEPBREATH, and CHROMEPUSH represent a new set of tooling for the threat actor.
The researchers describe as unusual the volume of malware deployed on a host against a single individual.
This confirms a targeted attack focused on collecting as much data as possible for two reasons: "cryptocurrency theft and fueling future social engineering campaigns by leveraging victim’s identity and data," Mandiant says.
Since 2018, UNC1069 has demonstrated its ability to evolve by adopting new techniques and tools. In 2023, the bad actor switched to targets in the Web3 industry (centralized exchanges, developers, venture capital funds).
Last year, the threat actor changed its target to financial services and the cryptocurrency industry in verticals such as payments, brokerage, and wallet infrastructure.
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
