North Korean‑linked Hackers Expand Crypto‑Focused Campaigns with New Malware Suite
By [Author Name] – February 2026
A threat group that cybersecurity firm Mandiant tracks as UNC1069 has launched an intensified series of attacks on cryptocurrency, fintech and venture‑capital firms. The campaign, disclosed in a Tuesday briefing, employed a blend of AI‑generated deep‑fakes, compromised messaging accounts and a set of seven newly identified malware families, three of which — SILENCELIFT, DEEPBREATH and CHROMEPUSH — are being seen for the first time.
The operation in detail
Mandiant’s investigation uncovered a coordinated intrusion chain that began with social‑engineering lures delivered through hijacked Telegram accounts. Victims were invited to “troubleshoot” a fabricated Zoom meeting in which the attacker, appearing on camera with a deep‑fake video, reported audio problems. The session culminated in a ClickFix‑style request: the target was asked to run a series of seemingly benign commands to resolve the issue. Hidden within those commands was a payload that triggered the deployment of the new malware families.
The seven toolsets observed in the campaign include several known families that have been repurposed for crypto‑theft, as well as the three novel strains referenced above. According to Mandiant, CHROMEPUSH and DEEPBREATH are sophisticated data‑mining viruses designed to bypass core operating‑system defenses and harvest credentials, wallet files, and other sensitive information. SILENCELIFT appears to focus on exfiltrating system logs and network configurations that can aid lateral movement within targeted organisations.
AI as a force multiplier
The UNC1069 group, long suspected of operating with North Korean state support, has been tracked since 2018. According to a 2025 Google Threat Intelligence report, the actors began integrating AI‑generated content into their lures in late 2025, a shift that dramatically increased the plausibility of their social‑engineering attacks. The deep‑fake video used in the Zoom sessions is a prime example of this trend, allowing the hackers to simulate real‑time technical support without needing a physical presence.
Historical context
North Korean cyber‑operations have repeatedly intersected with the digital‑asset ecosystem. In June 2025, four operatives masquerading as freelance developers siphoned roughly $900 k from several crypto startups. Earlier in the same year, the Lazarus Group — widely attributed to Pyongyang — was linked to the $1.4 billion breach of the Bybit exchange, one of the largest crypto thefts on record.
Industry reaction and next steps
Cointelegraph reached out to Mandiant for comment on the attribution and technical details; the firm had not responded at the time of publication. Nonetheless, the report underscores a clear escalation: the blend of AI‑enhanced social engineering and previously unseen malware families marks a new level of threat sophistication for the sector.
Analysis
-
Target profile expansion – While earlier North Korean campaigns focused largely on financial institutions, the current effort deliberately widens its net to include software developers and venture‑capital firms that sit at the heart of crypto project financing. Compromising these entities can provide the attackers with both direct access to funds and valuable intelligence on upcoming token launches.
-
AI‑driven deception – The use of deep‑fake video in real‑time communications eliminates many of the red‑flags that seasoned security teams rely on, such as mismatched voice‑to‑video cues or low‑quality recordings. Organizations that have not yet incorporated AI‑detection tools into their security stack may be especially vulnerable.
-
Modular malware architecture – Deploying multiple families in a single intrusion indicates a “toolbox” approach, allowing actors to cherry‑pick components that best fit the victim environment. This modularity complicates detection, as traditional signature‑based solutions may miss newer components like CHROMEPUSH.
- ClickFix as a vector – The “audio‑troubleshooting” scenario is a familiar social‑engineering pattern, but its combination with AI‑generated video adds a layer of credibility that can lower user scepticism. The technique demonstrates that even seemingly routine support calls can be weaponised.
Key Takeaways
| Takeaway | Recommendation |
|---|---|
| AI‑enhanced lures are now mainstream | Deploy AI‑based deep‑fake detection on video‑conferencing platforms and train staff to verify identities through out‑of‑band channels. |
| Multiple malware families per breach | Use behavior‑based endpoint detection and response (EDR) solutions that can identify anomalous activity regardless of the specific payload. |
| Targeted at high‑value crypto actors | Conduct regular threat‑modeling exercises that include developer and VC environments, not just exchange or wallet infrastructure. |
| ClickFix abuse persists | Harden remote‑support policies: require multi‑factor verification before any command is executed on a production system. |
| Attribution to state‑linked groups | Keep abreast of updates from threat‑intel providers (e.g., Mandiant, Google Threat Intelligence) and integrate relevant indicators of compromise (IOCs) into firewall and SIEM rule sets. |
Looking ahead
The UNC1069 campaign illustrates a growing convergence of state‑backed cyber capabilities and financially motivated ransomware‑style operations. As AI tools become more accessible, defenders must treat every unsolicited technical‑support request as a potential attack surface, especially when dealing with high‑value crypto assets. Ongoing collaboration between private security firms, industry coalitions, and government agencies will be essential to stay ahead of these evolving threats.
Source: https://cointelegraph.com/news/north-korean-hackers-malware-crypto-fintech-social-engineering?utm_source=rss_feed&utm_medium=feed&utm_campaign=rss_partner_inbound
