North Korea’s UNC1069 Uses Fake Video Calls to Hijack Crypto

In a sophisticated escalation of cyber-enabled financial theft, security researchers from Validin have unmasked a sprawling campaign by the North Korean threat actor UNC1069. This group, which overlaps with the notorious Bluenoroff cluster, is currently targeting cryptocurrency and Web3 professionals with high-fidelity social engineering tactics designed to bypass traditional defenses and drain digital assets.

The attack chain begins on professional platforms like LinkedIn and Telegram, where threat actors operate under fraudulent venture capital personas. To build maximum credibility, they often leverage previously compromised accounts to reach out with tailored partnership proposals.

Once a rapport is established, victims are invited to a meeting via scheduling links like Calendly. These links do not lead to a standard conference call, but to attacker-controlled infrastructure designed to mimic legitimate services such as Google Meet, Zoom, or Microsoft Teams. “The environments are highly convincing and may even include live participation from the attackers,” researchers noted.

During these fraudulent meetings, victims are led to believe their hardware is malfunctioning. “The attackers apply time pressure, urging them to quickly resolve the issue,” the report states. When the user tries to enable their camera or microphone, they are presented with a ClickFix-style prompt.

This prompt instructs the victim to copy and execute a command—supposedly to update a missing meeting SDK or driver—which actually delivers a malicious payload tailored to their specific operating system:

• Windows: Attackers use PowerShell scripts to download VBS-based RATs and modify system defenses, such as adding an exclusion for the C:\Users directory in Windows Defender.
• macOS: The campaign delivers Mach-O binaries or Perl scripts. These tools are designed to bypass macOS security features by removing quarantine attributes (xattr -rc) and applying ad-hoc code signatures.
• Linux: Victims are prompted to execute commands that fetch and run an ELF downloader, which uses curl to exfiltrate system telemetry to a command-and-control (C2) server.

The campaign is not just about immediate system access. “These fake meeting environments are used not only to compromise victims’ systems, but also to capture video and voice recordings, which are later reused in subsequent social engineering efforts,” according to the findings.

Analysis of the malicious JavaScript reveals the use of the browser’s getUserMedia API to silently record participants. This captured content, along with deepfake representations of executives, is used in future operations to enhance the legitimacy of the threat actor’s personas.

The malware variants deployed, such as Cabbage RAT and NukeSped, have direct ties to North Korea’s state-sponsored Lazarus Group. Researchers believe these operations are critical for the regime, stating they are “believed to support the North Korean regime’s missile, nuclear, and espionage programs”.

To stay ahead of the actors, Validin utilized its platform to pivot from known malicious IP addresses (like 45.61.157[.]248) to uncover dozens of lookalike domains. By using regular expressions to search for naming patterns like (us|uk|eu)[0-9]{1,3}(web|zoom|meet), investigators identified a wide network of fraudulent meeting sites and fake crypto firms used to sustain the campaign.