Hackers Deploy 7 Malware Families With AI Deepfakes
North Korea-linked threat actors are deploying a sophisticated new wave of attacks against the cryptocurrency and fintech sectors, according to a report from Google Cloud's Mandiant division. A group tracked as UNC1069 has been observed using seven distinct malware families, including newly discovered tools named SILENCELIFT, DEEPBREATH, and CHROMEPUSH, specifically engineered to capture and exfiltrate data from victims.
This campaign marks a significant evolution in tactics, incorporating artificial intelligence to enhance its effectiveness. Mandiant reports that the group began using "AI-enabled lures" in active operations in November 2025, allowing them to scale their social engineering efforts. The primary targets include cryptocurrency firms, venture capital investors, and software developers.
Social Engineering Leverages Fake Zoom Meetings
The attackers' methods rely on elaborate social engineering schemes. In one detailed intrusion, the operatives used a compromised Telegram account belonging to a cryptocurrency founder to establish contact with a target. The victim was then invited to a Zoom meeting where the attacker, using a deepfake video, feigned audio problems to build a pretext for the attack.
This tactic, dubbed a "ClickFix" attack, involves tricking the victim into running what appear to be troubleshooting commands to fix the non-existent audio issue. According to Mandiant, these commands contain a hidden script that initiates the malware infection chain, granting the attackers access to the host system and its data.
North Korea Linked to $1.4B in Past Crypto Heists
These recent activities are part of a long-standing pattern of cybercrime attributed to North Korean state-sponsored groups. These actors represent a persistent and costly threat to the digital asset industry. The notorious Lazarus Group, another entity with ties to North Korea, was previously linked to the $1.4 billion hack of the Bybit exchange, one of the largest cryptocurrency thefts on record.
Other documented incidents reinforce the severity of the threat. In June 2025, four North Korean operatives who had infiltrated multiple crypto startups as freelance developers were found to have stolen a cumulative $900,000 from the firms. These events underscore the consistent and evolving danger posed by these groups to the security and stability of the Web3 ecosystem.
