A North Korea-affiliated hacking group known as UNC1069 has conducted a targeted campaign utilizing artificial intelligence (AI)-generated videos and the ClickFix technique—a newly emerging cyberattack method that deceives victims into executing malicious software (malware). The operation aims to distribute malware targeting macOS and Windows systems within the cryptocurrency sector.

The threat actor’s objective is financial gain, as reflected in the tools deployed during attacks on financial technology (fintech) companies. The activity was uncovered through an investigation conducted by cybersecurity researchers at Mandiant, a Google subsidiary.

During the investigation, researchers identified seven distinct macOS malware families and attributed the attacks to UNC1069, a threat group they have been tracking since 2018. The campaign incorporated significant elements of social engineering, with victims contacted via Telegram messages sent from a compromised account belonging to a cryptocurrency company executive.

After establishing rapport, the hackers shared a Calendly link—a scheduling platform—that redirected victims to a fake Zoom meeting page hosted on attacker-controlled infrastructure. According to the targeted individuals, the attackers displayed a deepfake video—AI-manipulated content—featuring the chief executive officer (CEO) of another cryptocurrency firm.

“Once inside the ‘meeting,’ the fake video call created the impression that the end user was experiencing audio issues,” Mandiant researchers stated, as quoted by Bleeping Computer on Wednesday (11/2/2026).

Using this pretext, the attackers instructed victims to resolve the issue by executing commands displayed on a webpage. Mandiant found that the page contained instructions for both Windows and macOS systems that would initiate the infection chain.

Meanwhile, researchers from cybersecurity firm Huntress documented a similar attack method in mid-2025 and linked it to BlueNoroff—another North Korean hacking group also known as Sapphire Sleet—which targeted macOS systems using a series of different payloads.