Find notable cyber news and cases, enriched with sources, timelines, and signals.

UNC1069 GhostCall cryptocurrency social-engineering campaign

Campaign
First reported
Last updated
Happening score
H score 37
2 unique sources, 2 articles

Summary

Hide ▲

UNC1069 is actively targeting the cryptocurrency sector with a social-engineering campaign designed to steal credentials and data for financial theft. The operation uses compromised Telegram accounts, fake Zoom meetings, and a ClickFix infection vector to lure victims into a malicious trust-and-download flow. In some cases, the lure layer is reinforced with AI-generated video and deepfake-style footage to keep the call illusion convincing. The campaign has expanded across Windows and macOS and now drives multiple payloads that harvest browser data, session tokens, and iCloud Keychain credentials.

Related Happenings

Trojanized Pyrogram forks with hidden Telegram backdoor

Malware Activity
H score14 First: 01.07.2026 00:02 Last: 01.07.2026 00:02 Sources 1

About this happening: Trojanized **Pyrogram** forks on **PyPI** now ship a hidden backdoor that gives attackers remote command execution and file access on compromised **Telegram bot servers**. The mal...

Hotel and hospitality photo-ZIP phishing campaign

Campaign
H score40 First: 26.06.2026 12:27 Last: 26.06.2026 12:27 Sources 1

About this happening: An **active phishing campaign** is targeting **hotel and hospitality organizations** across **Europe and Asia**, increasing the risk of **front-desk machine compromise** and durab...

TonRAT Node.js implant with TON blockchain C2

Malware Activity
H score24 First: 26.06.2026 12:27 Last: 26.06.2026 12:27 Sources 1

About this happening: **TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...

Gaslight macOS implant with Telegram C2 and prompt-injection payload

Malware Activity
H score29 First: 25.06.2026 12:23 Last: 25.06.2026 12:23 Sources 1

About this happening: A **previously undocumented macOS implant** named **Gaslight** combines **Telegram bot API C2**, **persistent shell control**, and **file exfiltration** with a built-in **prompt-i...

MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel

Malware Activity
H score30 First: 24.06.2026 17:00 Last: 24.06.2026 17:00 Sources 1

About this happening: Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...

Timeline

  1. 11.02.2026 08:50 2 articles · 4mo ago

    UNC1069 cryptocurrency social-engineering technical analysis

    Technical Analysis Update

    North Korea-linked UNC1069 targets cryptocurrency-sector organizations and related personnel with a Telegram-led social-engineering chain that uses fake Zoom meetings, Calendly scheduling, and ClickFix-style commands to deliver WAVESHAPER, HYPERCALL, HIDDENCALL, SUGARLOADER, CHROMEPUSH, SILENCELIFT, and DEEPBREATH on Windows and macOS for credential theft, browser-data collection, session-token harvesting, and iCloud Keychain access.

    Show sources