Advisory on DPRK (UNC1069) Fake Microsoft Teams and Zoom calls

From February 6th, 2026, to April 7th, 2026, the Security Alliance (SEAL) has tracked and implemented a wallet-level block via eth-phishing-detect for 164 domains associated with the Democratic People's Republic of Korea (DPRK) threat actor group, designated as UNC1069. In light of recent incidents, such as the compromise of the "axios" npm package utilizing attack vectors consistent with UNC1069 - a group primarily targeting the cryptocurrency sector - SEAL is publishing a comprehensive list of DPRK-operated domains utilized in sophisticated social engineering attacks involving fraudulent Microsoft Teams and Zoom meetings.

The complete list of Indicators of Compromise (IOCs) is appended at the end of this document. This advisory also details the currently active Tactics, Techniques, and Procedures (TTPs) deployed by the attackers to facilitate malicious payload delivery and execution.

Key Takeaways

• From February 6th, 2026 to April 7th, 2026,, SEAL has attributed 164 blocked domains to UNC1069 (BlueNoroff), a DPRK-nexus threat actor with a sustained focus on the cryptocurrency and Web3 sectors.
• UNC1069 operates multi-week, low-pressure social engineering campaigns across Telegram, LinkedIn, and Slack - either impersonating known contacts or credible brands or by leveraging access to previously compromised company and individual accounts - before delivering a fraudulent Zoom or Microsoft Teams meeting link.
• The fake meeting UI is browser-based, built on legitimate SDKs, and visually indistinguishable from real Zoom or Teams meetings. No executable or installer is involved at the point of compromise; the initial payload is a single AppleScript (.scpt) download or a terminal copy-paste instruction.
• Once executed, the implant establishes persistence, assigns the victim a UUID, beacons to command and control (C2) infrastructure approximately every 60 seconds, and awaits operator-issued tasking - enabling fully modular and targeted post-exploitation activity.
• Post-compromise capabilities include credential theft, keylogging, session token harvesting, browser extension replacement, and full exfiltration of crypto wallets, password managers, Telegram sessions, SSH keys, and cloud credentials across macOS, Windows, and Linux.
• The group has historically targeted crypto founders, VCs, and high-visibility individuals. The demonstrated willingness to weaponize the npm/OSS supply chain (see, axios compromise) signals an intentional expansion toward open-source maintainers - a significantly higher-leverage attack surface.
• Victims' compromised accounts (Telegram, Slack, LinkedIn) are subsequently used to propagate attacks to their networks, compounding exposure across trust relationships built over years.

Social Engineering

UNC1069's social engineering methodology is defined by patience, precision, and the deliberate weaponization of existing trust relationships.

Initial Contact & Persona Construction

The initial contact originates from a compromised account belonging to someone the target already knows: a conference contact, a mutual introduction, a VC or BD counterpart. Because the attacker controls the victim's prior messaging history, they can resume conversations with full context - referencing past interactions, shared contacts, and relevant business topics. This prior context is the most disarming element of the attack; targets are not cold-approached but re-engaged.

Where a compromised account is unavailable, UNC1069 impersonates credible brands with a plausible reason to reach out. On LinkedIn, this takes the form of outreach from a relevant firm (GhostHire, GhostCall campaigns); on Slack, the actor constructs a pre-staged workspace to simulate a professional environment before any call takes place. However, both of these tactics are constantly evolving and should not be considered stable.

Meeting Scheduling & Pre-Call

Once contact is established, the actor proposes a call - typically via (legitimate) Calendly - and deliberately does not rush it. Calls are scheduled one to two weeks out, sometimes rescheduled. This extended timeline normalizes the interaction and eliminates the time-pressure targets might otherwise apply to evaluate risk.

The meeting link - a fraudulent Zoom or Microsoft Teams URL, masked behind a lookalike domain - is delivered via the same channel (Telegram, Slack, LinkedIn) shortly before the scheduled time.

On-Call Execution

The fake meeting UI loads entirely in-browser. It presents real video of the supposed participants - sourced from prior recordings or public content (conference talks, podcasts) - rendered via the legitimate Zoom or Teams SDK and styled to be visually identical to the real product. No application install is required. No executable is presented.

The hook is an audio issue on the target’s system. The target cannot hear the call. The UI surfaces a prompt to resolve this. Simultaneously, the attacker - operating the compromised or impersonated account on Telegram or Slack - messages the target directly:

"What's up?" "Oh, Zoom is acting up?" "Yeah, don't worry. I've had this happen before too." "You just need to update the SDK. It's very simple."

If the target expresses hesitation or skepticism, the attacker immediately de-escalates: "Just use the web version," "My company's security team checked it," "Don't worry." Screenshots are sometimes provided showing exactly what to click. The attacker is patient, reassuring, and technically credible.

This social layer - a real person actively coaching the target through the compromise in real time - is what distinguishes UNC1069's methodology from passive phishing.

Malware Payloads

Initial Delivery

The initial stage payload is intentionally minimal. Depending on the variant, the target either clicks a UI button in the fake meeting - triggering a download of a .scpt file (AppleScript) - or is instructed to paste a command into their terminal. In both cases, the visible code is padded with benign-looking lines to obscure the single malicious instruction. The dropper calls out to attacker-controlled infrastructure and retrieves the second-stage implant. Attackers are protective of their C2 infrastructure. It is designed for a single download per assigned UUID; if operators determine the interaction is with a security researcher or SOC team rather than a genuine victim, they will immediately disable the entire infrastructure.

Implant Behavior

The second-stage implant - observed in Nim-based variants as well as macOS-native formats — performs the following on execution:

• Assigns the host a UUID for individualized tracking and tasking
• Collects basic system reconnaissance (hardware, OS, running processes)
• Establishes persistence via standard macOS persistence mechanisms
• Begins beaconing to C2 infrastructure on an approximately 60-second interval

The beacon loop is simple: the implant wakes, checks in with the C2, and either receives a task to execute or sleeps and repeats. Critically, received tasks are executed directly and without validation - whatever the C2 returns is run. This design enables the operators to deliver arbitrary follow-on capability post-compromise, tailored to the specific victim.

Post-Compromise Modules

UNC1069 operates a modular post-exploitation framework. Operators review incoming victim data and selectively deploy modules based on assessed value. Observed and documented capabilities include:

• Full credential stealers — targeting browser-stored passwords, crypto wallet files, seed phrases, and API keys
• Keyloggers
• Session token harvesters — specifically targeting Telegram authentication tokens to enable account takeover and downstream propagation
• Password manager extraction — Keychain, 1Password, Bitwarden, Apple Notes
• Browser extension replacement — silently swapping legitimate extensions on disk with malicious equivalents
• SSH key and AWS credential exfiltration
• Custom payloads — operators have demonstrated willingness to write target-specific modules when standard tooling is insufficient

The platform scope is broad: macOS is the primary observed target surface given the prevalence of Apple hardware in the crypto/Web3 sector, but variants supporting Windows and Linux have been documented.

Post-Compromise

Operators deliberately do not act immediately following initial access. The implant is left dormant or passive for a period following compromise. The target typically reschedules the failed call and continues normal operations, unaware the device is compromised. This patience extends the operational window and maximizes the value extracted before any incident response is triggered.

IOCs

SEAL attributes to UNC1069 based on victim reports (both public and private), which allows us to consistently update detection signatures for utilized domains and hostnames. All Indicators of Compromise and Tactics, Techniques, and Procedures are then verified against the known profile of this particular threat actor group. Any deviations from the established group profiles are either deconflicted to prevent misattribution or used to update the existing profile (Adaptation).

[1] DNS A record set only on subdomain (teams.[root-domain].[tld])

[2] Hosts classified as “SEDO-AS SEDO GmbH” were either short lived or A record was only set for a specific subdomain. The historical DNS data coverage of such domains by different threat intelligence providers is highly variable. These domains were deployed in rapid bursts in what we suspect was attackers attempting to adapt to our detection techniques before changing domain naming patterns completely.

[3] Lower confidence

[4] used in axios’ developer attack