Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

UNC1069 GhostCall cryptocurrency social-engineering campaign

Campaign
First reported
Last updated
Happening score
H score 40
2 unique sources, 2 articles

Summary

Hide ▲

UNC1069 is actively targeting the cryptocurrency sector with a social-engineering campaign designed to steal credentials and data for financial theft. The operation uses compromised Telegram accounts, fake Zoom meetings, and a ClickFix infection vector to lure victims into a malicious trust-and-download flow. In some cases, the lure layer is reinforced with AI-generated video and deepfake-style footage to keep the call illusion convincing. The campaign has expanded across Windows and macOS and now drives multiple payloads that harvest browser data, session tokens, and iCloud Keychain credentials.

Related Happenings

Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT

Campaign
First: 04.05.2026 14:57 Last: 04.05.2026 14:57 Sources 1

About this happening: **Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...

Open Happening

GlassWorm OpenVSX sleeper extension campaign

Campaign
First: 28.04.2026 00:41 Last: 28.04.2026 00:41 Sources 1

About this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...

Open Happening

Hugging Face Spaces vsccode-modetx dropper campaign

Campaign
First: 16.04.2026 19:58 Last: 16.04.2026 19:58 Sources 1

About this happening: The **April 12, 2026** campaign abusing **Hugging Face Spaces** broadened malicious delivery against AI platform users and increased the risk of stealthy payload execution. An att...

Open Happening

REF6598 Obsidian social-engineering campaign targeting finance and crypto users

Campaign
First: 16.04.2026 14:02 Last: 16.04.2026 14:02 Sources 1

About this happening: The **REF6598** operation is using **LinkedIn**, **Telegram**, and **Obsidian** to deliver **PHANTOMPULSE**, creating a targeted intrusion path into **financial** and **cryptocurr...

Open Happening

Storm infostealer server-side decryption activity

Malware Activity
First: 02.04.2026 17:15 Last: 02.04.2026 17:15 Sources 1

About this happening: The **Storm** infostealer now steals **browser credentials**, **session cookies**, and **crypto wallets** and forwards them to attacker infrastructure for **server-side decryption...

Open Happening

Timeline

  1. 11.02.2026 08:50 2 articles · 3mo ago

    UNC1069 cryptocurrency social-engineering technical analysis

    Technical Analysis Update

    North Korea-linked UNC1069 targets cryptocurrency-sector organizations and related personnel with a Telegram-led social-engineering chain that uses fake Zoom meetings, Calendly scheduling, and ClickFix-style commands to deliver WAVESHAPER, HYPERCALL, HIDDENCALL, SUGARLOADER, CHROMEPUSH, SILENCELIFT, and DEEPBREATH on Windows and macOS for credential theft, browser-data collection, session-token harvesting, and iCloud Keychain access.

    Show sources
    Open in new tab