UNC1069 GhostCall cryptocurrency social-engineering campaign
Campaign
Summary
Hide ▲
Show ▼
UNC1069 is actively targeting the cryptocurrency sector with a social-engineering campaign designed to steal credentials and data for financial theft. The operation uses compromised Telegram accounts, fake Zoom meetings, and a ClickFix infection vector to lure victims into a malicious trust-and-download flow. In some cases, the lure layer is reinforced with AI-generated video and deepfake-style footage to keep the call illusion convincing. The campaign has expanded across Windows and macOS and now drives multiple payloads that harvest browser data, session tokens, and iCloud Keychain credentials.
Related Happenings
Trojanized Pyrogram forks with hidden Telegram backdoor
Malware Activity
H score14
First: 01.07.2026 00:02
Last: 01.07.2026 00:02
Sources 1
About this happening:
Trojanized **Pyrogram** forks on **PyPI** now ship a hidden backdoor that gives attackers remote command execution and file access on compromised **Telegram bot servers**. The mal...
Trojanized Pyrogram forks with hidden Telegram backdoor
Malware ActivityAbout this happening: Trojanized **Pyrogram** forks on **PyPI** now ship a hidden backdoor that gives attackers remote command execution and file access on compromised **Telegram bot servers**. The mal...
Hotel and hospitality photo-ZIP phishing campaign
Campaign
H score40
First: 26.06.2026 12:27
Last: 26.06.2026 12:27
Sources 1
About this happening:
An **active phishing campaign** is targeting **hotel and hospitality organizations** across **Europe and Asia**, increasing the risk of **front-desk machine compromise** and durab...
Hotel and hospitality photo-ZIP phishing campaign
CampaignAbout this happening: An **active phishing campaign** is targeting **hotel and hospitality organizations** across **Europe and Asia**, increasing the risk of **front-desk machine compromise** and durab...
TonRAT Node.js implant with TON blockchain C2
Malware Activity
H score24
First: 26.06.2026 12:27
Last: 26.06.2026 12:27
Sources 1
About this happening:
**TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...
TonRAT Node.js implant with TON blockchain C2
Malware ActivityAbout this happening: **TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...
Gaslight macOS implant with Telegram C2 and prompt-injection payload
Malware Activity
H score29
First: 25.06.2026 12:23
Last: 25.06.2026 12:23
Sources 1
About this happening:
A **previously undocumented macOS implant** named **Gaslight** combines **Telegram bot API C2**, **persistent shell control**, and **file exfiltration** with a built-in **prompt-i...
Gaslight macOS implant with Telegram C2 and prompt-injection payload
Malware ActivityAbout this happening: A **previously undocumented macOS implant** named **Gaslight** combines **Telegram bot API C2**, **persistent shell control**, and **file exfiltration** with a built-in **prompt-i...
MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel
Malware Activity
H score30
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
About this happening:
Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...
MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel
Malware ActivityAbout this happening: Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...
Timeline
-
11.02.2026 08:50 2 articles · 4mo ago
UNC1069 cryptocurrency social-engineering technical analysis
Technical Analysis UpdateNorth Korea-linked UNC1069 targets cryptocurrency-sector organizations and related personnel with a Telegram-led social-engineering chain that uses fake Zoom meetings, Calendly scheduling, and ClickFix-style commands to deliver WAVESHAPER, HYPERCALL, HIDDENCALL, SUGARLOADER, CHROMEPUSH, SILENCELIFT, and DEEPBREATH on Windows and macOS for credential theft, browser-data collection, session-token harvesting, and iCloud Keychain access.
Show sources
- North Korea-Linked UNC1069 Uses AI Lures to Attack Cryptocurrency Organizations — thehackernews.com — 11.02.2026 08:50
- North Korean Hackers Use Deepfake Video Calls to Target Crypto Firms — www.infosecurity-magazine.com — 11.02.2026 18:35