UNC1069- Hackers Who Compromised Axios
Full Threat Actor Workup — Modus Operandi, Tooling & Attribution
Executive Summary
UNC1069 is a financially motivated North Korea-nexus advanced persistent threat (APT) group tracked by Google Mandiant since at least April 2018. Also known as CryptoCore, MASAN, Dangerous Password, and Leery Turtle, the group has evolved from rudimentary spear-phishing operations against traditional crypto exchanges into a sophisticated multi-stage threat actor wielding AI-generated deepfakes, ClickFix social engineering, and a bespoke multi-family malware arsenal.
As of March 31, 2026, UNC1069 was formally attributed by Google Threat Intelligence Group (GTIG) to the Axios npm package supply chain attack — one of the most impactful open-source supply chain compromises ever recorded, affecting a JavaScript library with over 100 million weekly downloads.
UNC1069 is assessed with high confidence to have a North Korea nexus and is believed to be associated with or share resources with BlueNoroff, a financially focused subunit of the broader Lazarus Group operating under North Korea’s Reconnaissance General Bureau (RGB). The group’s payload naming conventions — notably macWebT recovered during the Axios attack — directly link to BlueNoroff’s documented RustBucket webT module from 2023. While UNC1069 overlaps operationally with TraderTraitor (UNC4899/Jade Sleet), it is tracked as a distinct cluster with its own toolset and targeting patterns.
Targeting Profile
Sector Focus
UNC1069 has maintained laser focus on the digital financial ecosystem since its earliest documented campaigns. Primary targets include:
· Cryptocurrency exchanges (centralized and decentralized)
· DeFi / Web3 platforms (staking, brokerage, wallet infrastructure)
· FinTech startups and payment companies
· Software developers at financial institutions
· Venture capital firms and their employees/executives
· High-technology companies with cryptocurrency exposure
Since at least 2023, the group deliberately pivoted away from traditional finance toward Web3 infrastructure, centralized exchanges (CEX), and the developer communities building those products. Individuals within the crypto sector — not just corporate entities — are directly targeted, with the actor harvesting victim identities and session data to fuel future social engineering campaigns.
Geographic Reach
Historically, CryptoCore-attributed campaigns targeted victims primarily in the United States and Japan. As the group matured under the UNC1069 designation, targeting expanded across North America, Europe, and Asia, with victims across payments, brokerage, staking, and wallet infrastructure verticals.
Evolution of Tactics (2018–2026)
Phase 1: Classic Spear-Phishing (2018–2022)
In its earliest phase, the group relied on effective spear-phishing. The operational pattern involved:
· Reconnaissance — Identifying executives and IT personnel at target exchanges and scraping personal/corporate email addresses
· Executive impersonation — Crafting spear-phishing emails that impersonated high-ranking employees
· Malicious links — Bitly-shortened links redirecting victims to threat-actor-controlled landing pages disguised as Google Drive folders
· Password manager harvesting — Stealing the victim’s password manager credentials, which held crypto-wallet private keys
During this period, the group stole an estimated minimum of $200 million in cryptocurrency from exchanges, predominantly in the United States and Japan. Despite being characterized as ‘not extremely technically advanced,’ the group was noted as ‘swift, persistent, and effective.’
Phase 2: Social Engineering via Fake Meetings (2023–2024)
Beginning around 2023, UNC1069 shifted from email-centric phishing to multi-platform social engineering, incorporating:
· Telegram account hijacking — Compromising accounts of legitimate crypto industry executives
· Fake Zoom meeting invitations — Using Calendly to schedule meetings, then redirecting victims to spoofed Zoom domains
· Investor impersonation — Posing as venture capitalists and crypto entrepreneurs to build rapport before deploying malware
· BIGMACHO backdoor distribution — Delivering a backdoor disguised as a legitimate Zoom SDK
Phase 3: AI-Augmented Campaigns (2025–Present)
Documented in GTIG’s November 2025 AI Threat Tracker publication, UNC1069 crossed a threshold from using AI for productivity to deploying novel AI-enabled lures in active operations. Key advancements include:
· Generative AI tooling — Using Google Gemini for operational research, reconnaissance, lure material development
· Deepfake video lures — AI-generated video of known cryptocurrency CEOs during fake Zoom calls to create social proof
· AI image manipulation — Leveraging GPT-4o models to modify images for enhanced lure credibility
· ClickFix infection vector — Victims socially engineered into running malicious ‘troubleshooting’ commands on their own machines
Phase 4: Open-Source Supply Chain Attack (March 2026)
On March 31, 2026, UNC1069 executed the most strategically significant operation in its documented history — compromising the Axios npm package maintainer account and injecting a cross-platform Remote Access Trojan (RAT) into versions 1.14.1 and 0.30.4. This represented a fundamental capability shift: rather than targeting individual crypto sector employees, the group compromised infrastructure used by millions of developers globally.
The Axios Supply Chain Attack (March 2026)
Initial Compromise Vector
The attacker compromised the npm account (jasonsaayman) of the primary Axios package maintainer, changing the associated email to an attacker-controlled ProtonMail address (ifstap@proton.me). The malicious packages were live from approximately 00:21 UTC to 03:20 UTC on March 31, 2026 — a window of roughly three hours during which an estimated 600,000 downloads may have occurred.
Injection Mechanism: SILKBELL
The attacker introduced a malicious dependency named plain-crypto-js@4.2.1 into both poisoned Axios releases. This package’s postinstall hook silently executed an obfuscated JavaScript dropper (setup.js, SHA256: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09), tracked as SILKBELL.
SILKBELL uses a custom XOR and Base64-based string obfuscation routine to hide the C2 URL and execution commands, dynamically loading fs, os, and execSync to evade static analysis. After dropping its payloads, SILKBELL attempts to delete itself and revert the modified package.json to destroy forensic evidence.
WAVESHAPER.V2 Backdoor
Across all platforms, the OS-specific payloads ultimately deploy WAVESHAPER.V2, an evolution of the WAVESHAPER backdoor previously attributed exclusively to UNC1069. WAVESHAPER.V2 is a cross-platform backdoor (C++ on macOS, PowerShell on Windows, Python on Linux) with the following capabilities:
· System Reconnaissance — Exfiltrates hostname, username, OS version, boot time, timezone, running process list
· Command Execution — Supports arbitrary shell commands, in-memory PE injection, and script execution
· File System Enumeration — Recursively traverses directories and returns detailed file metadata to C2
· C2 Beaconing — Sends Base64-encoded JSON to C2 over port 8000 at 60-second intervals using hardcoded User-Agent: mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)
· Windows Persistence — Creates a hidden batch file (%PROGRAMDATA%\system.bat) and writes a MicrosoftUpdate registry run key
Attribution Nexus
GTIG’s attribution to UNC1069 rests on two pillars: (1) Malware lineage — WAVESHAPER.V2 is a direct evolution of WAVESHAPER, sharing identical C2 polling behaviors, the same uncommon User-Agent string, and identical temporary staging directories. (2) Infrastructure overlap — The C2 domain sfrclak[.]com (resolving to 142.11.206.73) was traced to connections from an AstrillVPN node previously used by UNC1069, with adjacent infrastructure on the same ASN historically linked to the group.
Social Engineering Deep Dive (February 2026 FinTech Intrusion)
Stage 1: Account Hijack & Trust Building
The victim was contacted via Telegram through the compromised account of a legitimate cryptocurrency company executive. The true account owner had posted warnings on another social media platform that their Telegram had been hijacked — a pattern UNC1069 exploits, banking on the hijack going unnoticed by newer contacts. Operators engaged in extended rapport-building before action, a hallmark of the group’s patience-based methodology.
Stage 2: Fake Zoom Meeting
A Calendly link was sent to schedule a 30-minute meeting. The link directed to a spoofed Zoom domain on threat actor infrastructure: zoom[.]uswe05[.]us. During the call, the victim reported seeing an AI-generated deepfake video of a known cryptocurrency company CEO — used to create social proof and establish authoritative context before the attack’s next stage.
Stage 3: ClickFix Infection
The fake call manufactured an ‘audio issues’ pretext, directing the victim to a web page offering platform-specific ‘troubleshooting’ commands. The commands were designed to appear legitimate but embedded the actual infection vector.
The infection chain deployed seven distinct malware families in a single intrusion — an unusually heavy toolset confirming a highly targeted attack designed to harvest maximum credential and session data.
HYPERCALL & HIDDENCALL: Integrated Attack Lifecycle
HYPERCALL (Go-based downloader) and HIDDENCALL (Go-based backdoor) form a unified, synchronized attack lifecycle — evidenced by forensic observations of HYPERCALL reflectively injecting HIDDENCALL into system memory, shared code structure with identical t_ function naming conventions, and shared project file paths indicating a unified development environment. HYPERCALL accepts its C2 URL as a command-line argument, encrypts its configuration with a hardcoded 16-byte RC4 key, and communicates over WebSocket (TCP port 443). Observed C2 servers included wss://supportzm[.]com and wss://zmsupport[.]com.
DEEPBREATH: TCC Bypass Methodology
DEEPBREATH is one of UNC1069’s most technically sophisticated tools. Written in Swift, it bypasses macOS’s Transparency, Consent, and Control (TCC) privacy framework through a three-step process:
· Staging — Leverages Finder (which holds Full Disk Access by default) to rename the TCC folder and copy TCC.db to a temporary staging location
· Permission Injection — Programmatically inserts permissions into the staged database, granting itself broad access to Desktop, Documents, and Downloads
· Restoration — Restores the modified database to its original location, giving DEEPBREATH seamless access without triggering user permission prompts
Targeted data includes: iCloud Keychain credentials, Chrome/Brave/Edge browser cookies/login data/extension settings, Telegram user data (both versions), and Apple Notes databases.
CHROMEPUSH: Browser Extension Persistence
CHROMEPUSH installs itself as a native messaging host for Chromium-based browsers, masquerading as a ‘Google Docs Offline’ editing extension. It achieves persistence by registering a manifest at com.google.docs.offline.json, ensuring automatic execution each time Chrome or Brave launches. Capabilities include keystroke logging (configurable via key_on JSON flag), cookie theft (coo_on flag), and screenshot capture (cap_on flag). Data is staged to %HOME%/Library/Application Support/com.apple.os.receipts/ and uploaded via HTTP POST to C2.
Financial Impact & Scale
The cumulative financial toll of UNC1069 / CryptoCore operations is significant. Between 2018 and 2020, the group stole an estimated minimum of $200 million from cryptocurrency exchanges, primarily U.S.- and Japan-based. Within the broader DPRK cyber ecosystem, North Korean state-affiliated groups (of which UNC1069 is one cluster) stole a record $2.02 billion in cryptocurrency in 2025 alone, representing approximately 60% of all reported global crypto thefts.
The Axios attack carries potential for cascading downstream impact: with an estimated 600,000 downloads during the three-hour exposure window, compromised developer environments could yield AWS/GitHub API keys, cloud credentials, and session tokens enabling further supply chain poisoning, SaaS account takeovers, and direct cryptocurrency theft.
GTIG Chief Analyst John Hultquist stated: ‘Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency. The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far reaching impacts.’
Key Differentiators vs. Peer DPRK Groups
While UNC1069 shares the DPRK financial crime ecosystem with groups like TraderTraitor (UNC4899/Jade Sleet), several characteristics distinguish it:
· AI adoption velocity — UNC1069 was specifically flagged by GTIG as a leader in transitioning from AI-assisted text generation to AI-enabled live operational lures (deepfake video in active intrusions)
· macOS specialization — The group’s custom Swift, Go, and C++ toolchain is explicitly macOS-first, suggesting dedicated macOS development resources
· Supply chain ambition — The Axios attack marks UNC1069’s first confirmed large-scale open-source package poisoning, representing a strategic escalation beyond targeted individual/corporate attacks
· Data harvesting depth — Deploying seven malware families on a single host to simultaneously capture credentials, session tokens, keystrokes, screenshots, messaging data, and browser data reflects a data-maximalist philosophy uncommon even among sophisticated APTs
Defender Recommendations
Immediate Actions — Axios Attack
· Do NOT use axios versions 1.14.1 or 0.30.4; roll back to 1.14.0 or 0.30.3 or earlier
· Inspect lockfiles for plain-crypto-js versions 4.2.0 or 4.2.1
· Block network traffic to sfrclak[.]com and 142.11.206.73
· If plain-crypto-js is detected, assume full compromise — rotate all credentials and secrets on the affected machine
· Clear local and shared npm/yarn/pnpm caches on all workstations and build servers
Broader Hardening Against UNC1069 TTPs
· Developer environment isolation — Sandbox development environments in containers to restrict host filesystem access; vault plaintext secrets using OS keychain or aws-vault
· Dependency pinning — Pin all npm packages in package-lock.json; disable automatic latest-version pulls in CI/CD pipelines
· Social engineering awareness — Train personnel on ClickFix attacks; enforce a policy of never pasting terminal commands from external sources during video calls
· Telegram / messaging security — Treat unsolicited meeting invitations via Telegram with extreme scrutiny; verify video call domains before joining
· macOS TCC monitoring — Alert on unauthorized modifications to TCC.db and unexpected Finder-based file operations in sensitive directories
· Browser extension auditing — Monitor Chrome/Brave native messaging host directories for unauthorized additions
· EDR deployment on developer workstations — Key detections: macOS TCC Database Manipulation, Chrome Native Messaging Directory, Suspicious Web Downloader Pipe to ZSH, Telegram Session Data Staging
Conclusion
UNC1069 represents a mature, adaptive, and strategically patient North Korean financial cyber threat actor whose operational ceiling has demonstrably expanded with each documented campaign. The progression from targeted spear-phishing ($200M+ over two years) through AI-assisted deepfake social engineering to a weaponized open-source supply chain attack affecting 100 million+ weekly downloads in a single operation illustrates the group’s willingness to escalate ambition alongside capability.
The Axios attack in particular signals that UNC1069 is no longer confining itself to the cryptocurrency sector’s human attack surface — it is now targeting the foundational developer infrastructure that underlies that sector, with ripple-effect implications across enterprise software, SaaS, and cloud environments globally. Defenders must treat developer workstations as high-value targets equivalent to privileged enterprise accounts.