UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering

This report describes a macOS intrusion involving DEEPBREATH, a Swift data miner that circumvents macOS TCC by staging and modifying TCC.db to grant broad file and keychain access (using Finder FDA and AppleScript for stealth), SUGARLOADER, a UNC1069-associated downloader that retrieves next-stage payloads from C2s (e.g., breakdream.com, dreamdie.com), and CHROMEPUSH, a C++ native-messaging browser extension that exfiltrates cookies, credentials, and keystrokes from Chromium-based browsers.