UNC1069 Targets Cryptocurrency Sector With New Tooling and AI-Enabled Social Engineering

    Tuesday, February 10, 2026 In: Threat Research Print

    Date: 02/10/2026

    Severity: High

    Summary

    North Korean threat actors continue to refine their tactics to target cryptocurrency and DeFi organizations. A recent investigation examined an intrusion against a FinTech entity in this sector. The activity was attributed to UNC1069, a financially motivated threat actor active since at least 2018. The attack involved a customized intrusion deploying seven distinct malware families. Among them were new tools—SILENCELIFT, DEEPBREATH, and CHROMEPUSH—used to collect host and victim data. The intrusion leveraged social engineering via a compromised Telegram account, a fake Zoom meeting, ClickFix, and AI-generated video deception.

    Indicators of Compromise (IOC) List

    Domains\URLs:

    breakdream.com

    cmailer.pro

    dreamdie.com

    mylingocoin.com

    support-zoom.us

    supportzm.com

    zmsupport.com

    zoom.uswe05.us

    Hash : 

    03f00a143b8929585c122d490b6a3895d639c17d92c2223917e3a9ca1b8d30f9

    18f90dd545ae3e02e235757607b0ad3b7187940e2b172e56bafe27e8d76b4627

    1a30d6cdb0b98feed62563be8050db55ae0156ed437701d36a7b46aabf086ede

    27725770f817b328482828c8dbdf982436dec1cc0c314f8ab812e3025a721867

    4e4f2dfe143ba261fd8a18d1c4b58f2e

    5e85bc4344cffb6a03084d304b3bf685e8c57e4685658686249746298af933b8

    5ee81c42bacce407684966501e0862d8a7506341d5cb41423ceb6b4679ab9f10

    603848f37ab932dccef98ee27e3c5af9221d3b6ccfe457ccf93cb572495ac325

    6416ddf98377506aae13136303bcc80547454faf7a75c51e8c4a61bef174a5ae

    67b2213a8721835f8547aaabe23acbd66b155eb57d9cb1934eb67c7b9a21e031

    6e9aad32f3ea1200e822dfc4a6df5db62d69b95e8dab15acce99610cb55c9ab1

    7fb8fcdfce6f6e576ddfee9ef8b588164ed88f1516c5e893df9c7b59528f2b68

    8af969db3b5c2232e853eadbf3c5cf04

    a563982f2c2478708eeb85b3f552c4d0

    a7ec87e92393cb3f97ea7353ad00f21a

    b452c2da7c012eda25a1403b3313444b5eb7c2c3e25eee489f1bd256f8434735

    b525837273dde06b86b5f93f9aec2c29665324105b0b66f6df81884754f8080d

    b7ab0805bd4c4fc3fefd63a3f5a0bc97f8b87ecb05ed93504dd9b125bf957876

    c3e5d878a30a6c46e22d1dd2089b32086c91f13f8b9c413aa84e1dbaa03b9375

    c8f7608d4e19f6cb03680941bbd09fe969668bcb09c7ca985048a22e014dffcd

    cbe308fa402b1f736c629837d6e23449

    f2376294754586e1e3cedc81ae799e1771b5ad634335c183c6b0c889bd526623

    f4415462850701d502d3cd218f1bf98ca28e6129347593edb601e6f37d6cf5c1

    f842923e11a329e510c07f55c87d196896ffb86abb95e94f0ddff1a795932bdb

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "cmailer.pro" or url like "cmailer.pro" or siteurl like "cmailer.pro" or domainname like "mylingocoin.com" or url like "mylingocoin.com" or siteurl like "mylingocoin.com" or domainname like "zoom.uswe05.us" or url like "zoom.uswe05.us" or siteurl like "zoom.uswe05.us" or domainname like "zmsupport.com" or url like "zmsupport.com" or siteurl like "zmsupport.com" or domainname like "supportzm.com" or url like "supportzm.com" or siteurl like "supportzm.com" or domainname like "support-zoom.us" or url like "support-zoom.us" or siteurl like "support-zoom.us" or domainname like "breakdream.com" or url like "breakdream.com" or siteurl like "breakdream.com" or domainname like "dreamdie.com" or url like "dreamdie.com" or siteurl like "dreamdie.com"

    Detection Query 2 :

    sha256hash IN ("1a30d6cdb0b98feed62563be8050db55ae0156ed437701d36a7b46aabf086ede","b525837273dde06b86b5f93f9aec2c29665324105b0b66f6df81884754f8080d","03f00a143b8929585c122d490b6a3895d639c17d92c2223917e3a9ca1b8d30f9","18f90dd545ae3e02e235757607b0ad3b7187940e2b172e56bafe27e8d76b4627","27725770f817b328482828c8dbdf982436dec1cc0c314f8ab812e3025a721867","5e85bc4344cffb6a03084d304b3bf685e8c57e4685658686249746298af933b8","5ee81c42bacce407684966501e0862d8a7506341d5cb41423ceb6b4679ab9f10","603848f37ab932dccef98ee27e3c5af9221d3b6ccfe457ccf93cb572495ac325","6416ddf98377506aae13136303bcc80547454faf7a75c51e8c4a61bef174a5ae","67b2213a8721835f8547aaabe23acbd66b155eb57d9cb1934eb67c7b9a21e031","6e9aad32f3ea1200e822dfc4a6df5db62d69b95e8dab15acce99610cb55c9ab1","7fb8fcdfce6f6e576ddfee9ef8b588164ed88f1516c5e893df9c7b59528f2b68","b452c2da7c012eda25a1403b3313444b5eb7c2c3e25eee489f1bd256f8434735","b7ab0805bd4c4fc3fefd63a3f5a0bc97f8b87ecb05ed93504dd9b125bf957876","c3e5d878a30a6c46e22d1dd2089b32086c91f13f8b9c413aa84e1dbaa03b9375","c8f7608d4e19f6cb03680941bbd09fe969668bcb09c7ca985048a22e014dffcd","f2376294754586e1e3cedc81ae799e1771b5ad634335c183c6b0c889bd526623","f4415462850701d502d3cd218f1bf98ca28e6129347593edb601e6f37d6cf5c1","f842923e11a329e510c07f55c87d196896ffb86abb95e94f0ddff1a795932bdb")

    Detection Query 3 :

    md5hash IN ("4e4f2dfe143ba261fd8a18d1c4b58f2e","8af969db3b5c2232e853eadbf3c5cf04","a563982f2c2478708eeb85b3f552c4d0","a7ec87e92393cb3f97ea7353ad00f21a","cbe308fa402b1f736c629837d6e23449")

    Reference:

    https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering


    Tags

    MalwareThreat ActorcryptocurrencySocial EngineeringNorth KoreaFinancial ServicesClickFixTelegram

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.