New macOS malware with AI linked to North Korean hackers targeting crypto users

[coinrifft]

It was reported that North Korean are it again, targeting cryptocurrency industry. So if you are in the crypto sector be better that you know about this kind of attacks.

1. thru social engineering attack, the compromised account will contact you in telegram and try to build a rapport. And you will thought that you are really talking to the higher ups of that crypto company.
2. And then, once everything is set up, you will be shown a video conference, which is obviously a fake video of another crypto company's CEO
3. Once you are in the meeting, suddenly this criminals will give you the impression that is something wrong with the video, be the audio or the video itself.
4. Then criminals will ask you to download in the guise of troubleshooting and that's where you are going to be trap

The thing is that it's not just one malware, but seven in total.

The first malicious executable file deployed to the system was a packed backdoor tracked by Mandiant as WAVESHAPER. WAVESHAPER served as a conduit to deploy a downloader tracked by Mandiant as HYPERCALL as well as subsequent additional tooling to considerably expand the adversary's foothold on the system....

DEEPBREATH, a data miner written in Swift, was deployed via HIDDENCALL—the follow-on backdoor component to HYPERCALL. DEEPBREATH manipulates the Transparency, Consent, and Control (TCC) database to gain broad file system access, enabling it to steal...

SILENCELIFT is a minimalistic backdoor written in C/C++ that beacons host information to a hard-coded C&C server. The C&C server identified in this sample was identified as support-zoom[.]us.

Mandiant identified two disparate data miners that were deployed by the threat actor during their access period: DEEPBREATH and CHROMEPUSH.

Mandiant also identified HYPERCALL deployed an additional malware loader, tracked as part of the code family SUGARLOADER. A persistence mechanism was installed in the form of a launch daemon for SUGARLOADER, which configured the system to execute the malware during the macOS startup process. The launch daemon was configured through a property list (Plist) file,

https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering


So this is really a very dangerous campaign from these hackers as it is a very sophisticated attack with Deep fake AI and then those malwares that they used. So again, if yo uare in the crypto sector, from support staff to a more high pay grade position, just be careful with this trick.

[Vvang]

Red Flags.

1. The internet
2. The browser.
3. The PC.

Smartness is accepting that crypto is way safer away from the internet.
Smartness is accepting that open source hardware wallets are the shield in this case.

Most crypto attacks turned successful because of the access to the internet by the users, especially those that are using PC to browse.
Anything Internet related should be miles away from your digital assets, keep them offline and you won't have problems like this.

[joniboini]

1. thru social engineering attack, the compromised account will contact you in telegram and try to build a rapport. And you will thought that you are really talking to the higher ups of that crypto company.

Looks like the owner stated on other social accounts that their Telegram account was compromised, so it should be easy to avoid if the target also follows those. I wonder if they can't report their own account to close them down quickly, though. Sounds like as long as you're careful and verify communication channels, you should be able to notice whether some accounts are compromised or not. Granted, this assumes you have other access to business channels. For crypto projects, they have channels on Telegram, Discord, etc too, so it shouldn't be that hard to follow them.

[hugeblack]

If North Korean had these capabilities, they would have done much more. The accusations usually point to the Lazarus Group, which is linked to North Korea and some other countries. You can avoid such scams by limiting your Telegram communications to your contacts, avoiding replying to any messages from unknown individuals, and not trusting any offers of quick profits online.

[Odohu]

Red Flags.

1. The internet
2. The browser.
3. The PC.

Smartness is accepting that crypto is way safer away from the internet.
Smartness is accepting that open source hardware wallets are the shield in this case.

Most crypto attacks turned successful because of the access to the internet by the users, especially those that are using PC to browse.
Anything Internet related should be miles away from your digital assets, keep them offline and you won't have problems like this.

Thank you for this summary because after all that is happening now, the only way to stay completely safe is to keep cryptocureency offline although it will be hard for people using the Bitcoin for business like trading or lending,  or even for other form of businesses as merchants that require coins to be stored in hot wallet. Apart from these categories, holders should learn to use cold wallets because that is the only safe option since attacks are becoming highly sophisticated.

[Coyster]

It is always linked to North Korea, lol. How are you sure these scammers are not doing this from the United States or some country in the West. I guess North Korea is the easy target because of their dictatorial political system that most of the world opposes.

Having said that, it is not unusual to get attacked this way if you reply unsolicited dm's in Telegram or any other social media platform. I understand that it can also be more difficult to avoid for people who seek employment opportunities in the crypto space, but for such individuals, you have to be smart not to download anything nor keep your funds in your online device.

[BitMaxz]

This is why I don't entertain anyone on telegram who DM me unless I'm the one who contacted them or join on their group but anyone should be aware telegram isn't safe because most of the hackers and scammers are there. We should always use telegram with cautions.

It is always linked to North Korea, lol. How are you sure these scammers are not doing this from the United States or some country in the West. I guess North Korea is the easy target because of their dictatorial political system that most of the world opposes.

Well, no one knows, and maybe it's a Lazarus group that created this malware. Remember how they hacked the Bybit and Stake.com?
It might be similar attackers known as the Lazarus Group.

[qwertyup23]

When I read your post and saw the word telegram, I instantly knew that this will be that scheme where people would be lured into downloading random stuff ultimately affecting their PC in the process.

I cannot stress enough to say that YOU SHOULD NEVER TRUST ANYONE WHO RANDOMLY DMS YOU IN ANY PLATFORM.

If someone randomly messages you about a random investment opportunity and the platform used was Telegram, then ignore with all your heart and move on. Telegram is notoriously known the platform that scammers use because you can instantly hide and delete both your conversation. Be wary of all the signs and be smart with your money!

[KiaKia]

It is always linked to North Korea, lol. How are you sure these scammers are not doing this from the United States or some country in the West. I guess North Korea is the easy target because of their dictatorial political system that most of the world opposes.

Having said that, it is not unusual to get attacked this way if you reply unsolicited dm's in Telegram or any other social media platform. I understand that it can also be more difficult to avoid for people who seek employment opportunities in the crypto space, but for such individuals, you have to be smart not to download anything nor keep your funds in your online device.

This is true, why have I never think about this before? Since North Korea is already been known as scammers other countries can commit huge heist online and put the blame on North Korea, its going to be easy excuse.

North Korea can never come out in the public to protect themselves because they don't do such thing, I believe the country is hiding a lot on its own and that's why other countries can easily put blames on them.

I have met a lot of scammers online and I have never seen a real Asian guy trying to scam me, not even a north Korea person, so every part of the world have more online scammers than north Korea, no country is clean

[GreatArkansas]

This is a very familiar attack that always ends up with malware.
But I am impressed by their procedures before having the malwares to their victims.

It is always linked to North Korea, lol. How are you sure these scammers are not doing this from the United States or some country in the West. I guess North Korea is the easy target because of their dictatorial political system that most of the world opposes.

Having said that, it is not unusual to get attacked this way if you reply unsolicited dm's in Telegram or any other social media platform. I understand that it can also be more difficult to avoid for people who seek employment opportunities in the crypto space, but for such individuals, you have to be smart not to download anything nor keep your funds in your online device.

This is true, why have I never think about this before? Since North Korea is already been known as scammers other countries can commit huge heist online and put the blame on North Korea, its going to be easy excuse.

North Korea can never come out in the public to protect themselves because they don't do such thing, I believe the country is hiding a lot on its own and that's why other countries can easily put blames on them.

I have met a lot of scammers online and I have never seen a real Asian guy trying to scam me, not even a north Korea person, so every part of the world have more online scammers than north Korea, no country is clean

Lol, same thought. I'm really curious what most North Korean people's impression is if they see these impressions of them from the Internet. It seems the majority are just taking advantage of North Korea's limited access to the Internet. But yeah, we can't also blame other people because there's already a lot of past issues about hackers from North Korea.

[XZERO1]

Lazarus group is out there providing a good portion of funds for North Korean military.

NK military budget for 2025 is estimated to be around 5-10 Billion in USD, so even if we just count the one crypto hack that was %100 confirmed to be linked to Lazarus group in 2025 which was Bybit 1.5 billion USD hack and exclude this MacOS malware attack, North Korea managed to have covered %15-%30(depending on whether we go for the low or high estimate) of their military budget using Lazarus group.

Easiest way to avoid being hacked and stay >99.99% safe? Do not use the device that you use for Crypto for any other stuff and try to keep it as much offline as possible, specially do not use it for browsing web and even more specially don't use it for social media/telegram/discord.

P.S. There are no official numbers on exact military budget of NK for obvious reasons, so the estimate number provided above is based on available data provided by analysts and estimated budget of previous years.