News and Analysis

A North Korean threat group known as UNC1069 has been running a sophisticated campaign that tricks cryptocurrency and Web3 professionals into joining fake online meetings, only to infect their computers with malware designed to steal digital assets.

The group pretends to be venture capital firms looking for investment partnerships, building trust with targets over time before delivering malicious payloads through counterfeit video conferencing platforms.

This operation is financially motivated and is believed to directly support North Korea’s missile, nuclear, and espionage programs.

The attackers make first contact through LinkedIn and Telegram, sometimes using previously compromised accounts to appear more legitimate.

They then share scheduling links via Calendly to set up meetings on fake platforms that closely copy the look and feel of Zoom, Google Meet, and Microsoft Teams.

The fake meeting environments are convincing enough to include live participation from the attackers themselves, and in some cases, deepfake video footage of real executives is used to build trust before delivering the attack.

Once a victim joins the fake meeting, they are told their microphone or camera is not working. The attacker creates a sense of urgency, pressuring the victim to fix the issue quickly.

When the victim tries to enable their audio or video, a ClickFix-style prompt appears on the screen, instructing them to copy and run a piece of code. This is the moment the malware enters the system, and from this point, the attacker has a foothold on the victim’s device.

Validin researchers identified and analyzed the full attack chain in April 2026, revealing the scale and technical complexity of the campaign’s supporting infrastructure.

They found that payloads are built specifically for the victim’s operating system, whether Windows, macOS, or Linux, and that the malware used appears to be updated variants of Cabbage RAT, also known as CageyChameleon.

In addition, the research linked UNC1069 to the recent Axios NPM package compromise and noted overlaps with the Bluenoroff threat cluster previously reported by Mandiant.

The campaign’s impact extends beyond simple system compromise. The fake meeting platforms also capture victims’ audio and video in real time through the browser’s navigator.mediaDevices.getUserMedia API, streaming the data to attacker-controlled servers via WebRTC and WebSocket channels.

This recorded footage is then reused in later social engineering campaigns to impersonate real people, making future attacks even harder to detect.

How the Infection Takes Hold on Windows Systems

On Windows machines, the ClickFix prompt instructs victims to press Win + X followed by “A” to open a terminal with administrator privileges, then paste and run a set of commands.

PowerShell snippet from a ClickFix lure for Windows-based victims (Source – Validin)

These commands pull down two separate PowerShell scripts from attacker-controlled servers. The first script downloads a VBScript file, writes it to the temporary directory, and executes it twice using wscript.exe, while also adding the C:\Users directory to Windows Defender’s exclusion list and restarting the WinDefend service to suppress any alerts.

Content of the first PowerShell payload for Windows-based victims (Source – Validin)

The VBScript payload is an updated variant of Cabbage RAT that begins by collecting system details including the current username, hostname, operating system version, and installed browser extensions.

Content of the VBS payload revealing collection of system and user details (Source – Validin)

The addition of Google Chrome extension collection is a new capability clearly aimed at identifying installed cryptocurrency wallet extensions.

A notable change in this version is the introduction of a .lnk shortcut file placed in the Windows Startup folder, ensuring the malware runs every time the user logs in.

The RAT communicates with its command-and-control server, sending host data and awaiting coded responses: code “20” triggers a secondary encrypted payload, code “21” terminates execution, and code “22” serves as a keep-alive signal.

Security teams are advised to treat unexpected requests to run terminal commands during video calls as a serious red flag.

Organizations working in the cryptocurrency and Web3 space should verify the identity of meeting organizers through trusted, out-of-band channels before joining any session, and should monitor for unsigned scripts executing from temporary directories, unexpected Windows Defender exclusions, and outbound connections to domains mimicking Zoom or Google Meet naming patterns.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post North Korea-Linked UNC1069 Uses Fake Zoom and Teams Meetings to Hack Crypto Professionals appeared first on Cyber Security News.