UNC1069

"attributed to UNC1069, a financially motivated threat actor active since at least 2018"

"Google Threat Intelligence Group has also attributed the attack to UNC1069, a suspected North Korean threat actor"

"UNC1069 is known to use tools like Gemini to develop tooling, conduct operational research, and assist during the reconnaissance stages"

"GTIG attributes this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018, based on the use of WAVESHAPER.V2, an updated version of WAVESHAPER previously used by this threat actor."

"GTIG attributes this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since 2018."

"Analysis of the C2 infrastructure (sfrclak[.]com resolving to 142.11.206.73) revealed connections from a specific AstrillVPN node previously used by UNC1069. Additionally, adjacent infrastructure hosted on the same ASN has been historically linked to UNC1069 operation"

"Various researchers have pointed to links in the attack to DPRK infrastructure, with Google attributing the incident specifically to UNC1069, a financially motivated North Korean threat actor active since at least 2018."

"identified UNC1069's transition from using AI for simple productivity gains to deploying novel AI-enabled lures in active operations"

"Mandiant has observed UNC1069 employing these techniques to target both corporate entities and individuals within the cryptocurrency industry"

"Analysis of infrastructure artifacts used in this attack shows overlaps with infrastructure used by UNC1069 in past activities"

"the actor shares techniques with North Korean groups such as UNC1069, also known as Sleet"