A sophisticated cybersecurity campaign, reportedly orchestrated by a North Korean threat group known as UNC1069, is targeting cryptocurrency and Web3 professionals. The group employs deceptive tactics, luring victims into fake online meetings orchestrated through imitation video conferencing platforms. This operation’s primary objective is to compromise user devices and steal digital assets, with the funds believed to then fuel North Korea’s illicit weapons programs.
Researchers analyzing this operation have detailed a multi-stage attack. Initial contact is often made via professional networking and communication platforms like LinkedIn and Telegram, sometimes leveraging compromised accounts to build credibility. The attackers then proceed to schedule meetings using legitimate scheduling tools like Calendly, but the meeting itself takes place on a counterfeit video conferencing website designed to mimic popular services such as Zoom, Microsoft Teams, and Google Meet. These imposter platforms are convincing, reportedly even featuring live participation from the attackers and, in some instances, deepfake video to further deceive targets.
How UNC1069’s Fake Meetings Lead to Crypto Hacks
The effectiveness of UNC1069’s social engineering lies in exploiting common technical troubleshooting scenarios. Upon joining a fraudulent meeting, victims are often presented with issues related to their microphone or camera functionality. The attackers create a sense of urgency, pressuring the victim to resolve the problem immediately. This pressure point is critical; when the victim attempts to fix the audio or video, they are prompted to copy and execute a segment of code, disguised as a solution. This action, however, is the gateway for malware to infiltrate the user’s system, granting the attackers persistent access.
Validin researchers, who analyzed the attack chain in April 2026, highlighted the technical infrastructure and scale of the operation. The malware is tailored to the victim’s operating system, supporting Windows, macOS, and Linux. The employed malware appears to be an advanced version of the Cabbage RAT, also recognized as CageyChameleon. These findings also establish a connection between UNC1069 and a recent compromise of the Axios NPM package, and suggest overlaps with the Bluenoroff threat cluster previously identified by Mandiant.
Beyond system compromise, the sophisticated nature of these fake meeting platforms allows for real-time capture of victim audio and video feeds. This data is transmitted to attacker-controlled servers using WebRTC and WebSocket protocols. The captured footage is then strategically repurposed in subsequent social engineering schemes, enabling the attackers to impersonate real individuals more convincingly in future attacks, thus increasing the likelihood of success.
How the Infection Takes Hold on Windows Systems
For Windows users, the malicious “ClickFix” prompt guides them to open a command terminal with administrative privileges by pressing Win + X and then “A.” Victims are instructed to paste and run a sequence of commands. These commands are designed to retrieve two distinct PowerShell scripts from servers controlled by the attackers. The first PowerShell script downloads a VBScript file, saves it to the system’s temporary directory, and executes it twice using `wscript.exe`. Crucially, this script also adds the `C:Users` directory to Windows Defender’s exclusion list and restarts the WinDefend service, a move intended to bypass security monitoring and prevent immediate detection.
The content of the first PowerShell payload for Windows-based victims, as analyzed by Validin, details the execution of this sequence. The subsequent VBScript payload, an updated version of Cabbage RAT, begins its operation by gathering critical system information. This includes details such as the current username, hostname, operating system version, and a list of all installed browser extensions. The specific inclusion of Google Chrome extension data indicates a targeted effort to identify installed cryptocurrency wallet extensions, a high-value asset for attackers.
.webp)
A significant modification in this RAT variant is the placement of a `.lnk` shortcut file within the Windows Startup folder. This ensures that the malware is automatically executed every time the user logs into their system, providing persistent access. The RAT communicates with its command-and-control server, transmitting the collected host data. It awaits coded responses, where code “20” signals the execution of a secondary, encrypted payload, code “21” instructs the termination of the current process, and code “22” serves as a basic keep-alive signal to maintain the connection.
.webp)
Security professionals are advised to consider any unexpected requests to execute terminal commands during video conferences as a critical security alert. Organizations operating within the cryptocurrency and Web3 sectors should proactively verify the identity of meeting organizers through secure, independent communication channels before joining any online sessions. Furthermore, continuous monitoring for unsigned scripts executing from temporary directories, unusual Windows Defender exclusions, and outbound network connections to suspicious domains mimicking legitimate video conferencing services is essential to detect and prevent such attacks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
