North Korean Threat Group UNC1069 Targets Crypto Professionals with Fake Meeting Malware
A North Korean cyber threat group, UNC1069, has been conducting a sophisticated campaign targeting cryptocurrency and Web3 professionals through fake online meetings. Posing as venture capital firms, the attackers establish trust over time before delivering malware designed to steal digital assets funding North Korea’s missile, nuclear, and espionage programs.
The operation begins with initial contact via LinkedIn and Telegram, often using compromised accounts for legitimacy. Victims receive Calendly scheduling links for meetings hosted on counterfeit platforms mimicking Zoom, Google Meet, and Microsoft Teams. These fake environments include live participation from attackers, sometimes using deepfake video footage of real executives to enhance credibility.
During the meeting, victims are told their microphone or camera is malfunctioning. A ClickFix-style prompt appears, urging them to copy and run a piece of code deploying malware tailored to their operating system (Windows, macOS, or Linux). The payloads are updated variants of Cabbage RAT (CageyChameleon), a remote access trojan linked to previous attacks, including the Axios NPM package compromise and the Bluenoroff threat cluster.
On Windows systems, the attack exploits PowerShell commands to download and execute malicious scripts. These scripts:
- Add the C:\Users directory to Windows Defender’s exclusion list to evade detection.
- Deploy a VBScript-based RAT that collects system details, including installed browser extensions (targeting crypto wallets).
- Establish persistence via a .lnk shortcut in the Windows Startup folder.
- Communicate with a command-and-control server, receiving coded instructions for further payloads or termination.
Beyond system compromise, the fake platforms capture audio and video in real time via the browser’s navigator.mediaDevices.getUserMedia API, streaming data to attacker-controlled servers. This footage is later reused in social engineering campaigns, making future attacks harder to detect.
Researchers at Validin uncovered the full attack chain in April 2026, exposing the campaign’s technical sophistication and infrastructure. Security teams are flagging unexpected terminal command requests during video calls as a critical red flag, while organizations in the crypto and Web3 sectors are urged to verify meeting organizers through out-of-band channels and monitor for unsigned scripts, unusual Defender exclusions, and suspicious outbound connections.
Source: https://cybersecuritynews.com/north-korea-linked-unc1069-uses-fake-zoom-and-teams-meetings/
Mandiant (part of Google Cloud) cybersecurity rating report: https://www.rankiteo.com/company/mandiant
"id": "MAN1776716698",
"linkid": "mandiant",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Cryptocurrency, Web3, Venture Capital',
'type': 'Cryptocurrency/Web3 professionals'}],
'attack_vector': ['Fake online meetings',
'Compromised LinkedIn/Telegram accounts',
'Malicious Calendly links',
'Deepfake video footage'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (PII, cryptocurrency wallet '
'data, real-time audio/video)',
'type_of_data_compromised': ['System details',
'Browser extensions (crypto '
'wallets)',
'Audio/video recordings']},
'date_detected': '2026-04',
'date_publicly_disclosed': '2026-04',
'description': 'A North Korean cyber threat group, UNC1069, has been '
'conducting a sophisticated campaign targeting cryptocurrency '
'and Web3 professionals through fake online meetings. Posing '
'as venture capital firms, the attackers establish trust over '
'time before delivering malware designed to steal digital '
'assets funding North Korea’s missile, nuclear, and espionage '
'programs.',
'impact': {'brand_reputation_impact': 'Potential reputational damage for '
'targeted crypto/Web3 firms',
'data_compromised': ['System details',
'Installed browser extensions (crypto '
'wallets)',
'Audio/video recordings'],
'identity_theft_risk': 'High (PII and crypto wallet data at risk)',
'operational_impact': 'Compromised systems, unauthorized remote '
'access, potential data exfiltration',
'payment_information_risk': 'High (cryptocurrency theft)',
'systems_affected': ['Windows', 'macOS', 'Linux']},
'initial_access_broker': {'backdoors_established': 'Cabbage RAT '
'(CageyChameleon) via '
'malicious scripts',
'entry_point': ['LinkedIn',
'Telegram',
'Compromised accounts'],
'high_value_targets': 'Cryptocurrency/Web3 '
'professionals'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Unexpected terminal command requests during video calls '
'are a critical red flag. Organizations should verify '
'meeting organizers through out-of-band channels and '
'monitor for suspicious activities like unsigned scripts '
'and unusual Defender exclusions.',
'motivation': ['Financial gain (cryptocurrency theft)',
'Funding North Korea’s missile/nuclear/espionage programs'],
'post_incident_analysis': {'corrective_actions': ['Verify meeting organizers',
'Monitor for unsigned '
'scripts',
'Check for unusual Defender '
'exclusions',
'Enhance outbound '
'connection monitoring'],
'root_causes': ['Social engineering (fake '
'meetings)',
'Malware deployment via '
'ClickFix-style prompts',
'Exploitation of PowerShell and '
'Windows Defender exclusions']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Verify meeting organizers via out-of-band channels',
'Monitor for unsigned scripts and unusual Windows '
'Defender exclusions',
'Flag unexpected terminal command requests during video '
'calls',
'Enhance monitoring for suspicious outbound connections',
'Educate employees on social engineering tactics '
'involving fake meetings'],
'references': [{'date_accessed': '2026-04', 'source': 'Validin'}],
'response': {'enhanced_monitoring': 'Monitor for suspicious outbound '
'connections',
'remediation_measures': ['Monitor for unsigned scripts',
'Check for unusual Windows Defender '
'exclusions',
'Verify meeting organizers via '
'out-of-band channels'],
'third_party_assistance': 'Validin (researchers who uncovered '
'the attack chain)'},
'threat_actor': 'UNC1069 (North Korean threat group, linked to Bluenoroff '
'cluster)',
'title': 'North Korean Threat Group UNC1069 Targets Crypto Professionals with '
'Fake Meeting Malware',
'type': 'Malware Deployment, Social Engineering, Data Exfiltration',
'vulnerability_exploited': 'Social engineering, ClickFix-style prompts, '
'PowerShell exploitation, Windows Defender '
'exclusion manipulation'}