Advisory on DPRK (UNC1069) Fake Microsoft Teams and Zoom calls
2026-04-08 • Security Alliance •
https://radar.securityalliance.org/advisory-on-dprk-unc1069-fake-microsoft-teams-and-zoom-calls/
SEAL attributed 164 blocked domains observed from February to April 2026 to DPRK-nexus UNC1069, also described as BlueNoroff, in campaigns targeting cryptocurrency and Web3 users. The actor conducts patient social engineering over Telegram, LinkedIn, and Slack, often from compromised trusted accounts, then lures victims into fake browser-based Microsoft Teams or Zoom meetings. The infection flow uses audio-problem prompts to push an AppleScript download or terminal copy-paste command, after which an implant assigns a UUID, establishes persistence, beacons roughly every 60 seconds, and receives operator tasking. Reported post-compromise modules include credential theft, keylogging, session token harvesting, browser extension replacement, and exfiltration of crypto wallets, password managers, Telegram sessions, SSH keys, and cloud credentials. The advisory also warns that the actor’s willingness to weaponize npm and open-source supply-chain access expands risk beyond direct crypto executives to maintainers and developer communities.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 188.227.197.32 | 2026-04-08 | 2026-04-27 |
| DOMAIN | microscell.com | 2026-04-08 | 2026-04-18 |
| DOMAIN | web-zoom.uk | 2026-04-08 | 2026-04-14 |
| IPv4 | 23.254.167.21 | 2026-04-08 | 2026-04-14 |
| DOMAIN | ms-meets.us.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | microsout.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | nicrosolf.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | microsmeet.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | teemslivo.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | onmsed.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | msteamcall.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | teamsliwe.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | olafsven.xyz | 2026-04-08 | 2026-04-08 |
| DOMAIN | nisrosodf.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | liivoe.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | teemsliivc.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | ms-meet.xyz | 2026-04-08 | 2026-04-08 |
| DOMAIN | mslivecall.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | teamslivex.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | ww-live.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | microcodf.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | microca11.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | microselt.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | oneasu.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | nicrosolt.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | renaworkshard.xyz | 2026-04-08 | 2026-04-08 |
| DOMAIN | annaelsa.xyz | 2026-04-08 | 2026-04-08 |
| DOMAIN | teams-meet.xyz | 2026-04-08 | 2026-04-08 |
| DOMAIN | outms.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | us03live.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | lievec.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | www-live.xyz | 2026-04-08 | 2026-04-08 |
| DOMAIN | os-live.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | microcal1.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | teamslivc.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | microshen.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | ms-teams.us.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | micstmeet.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | mslivemeet.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | ms-teams.xyz | 2026-04-08 | 2026-04-08 |
| DOMAIN | us07web.me | 2026-04-08 | 2026-04-08 |
| DOMAIN | liuesus.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | microscalls.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | microshlop.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | uswebob.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | os-live.xyz | 2026-04-08 | 2026-04-08 |
| DOMAIN | teamsiiwe.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | msquickcall.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | teamslivos.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | microsinfos.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | liueus.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | microsdb.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | microcoll.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | ms-meets.xyz | 2026-04-08 | 2026-04-08 |
| DOMAIN | join-uk.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | teamslivs.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | dencall.xyz | 2026-04-08 | 2026-04-08 |
| DOMAIN | ww-live.xyz | 2026-04-08 | 2026-04-08 |
| DOMAIN | inmsed.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | livescall.xyz | 2026-04-08 | 2026-04-08 |
| DOMAIN | microsomeet.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | microsall.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | microschats.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | microsslcheck.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | callshere.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | teamsliveo.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | microszlt.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | nicrosofm.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | teemslive.com | 2026-04-08 | 2026-04-08 |
| DOMAIN | onreallive.com | 2026-04-08 | 2026-04-08 |
| IPv4 | 83.136.210.87 | 2026-04-08 | 2026-04-08 |
| IPv4 | 67.223.118.42 | 2026-04-08 | 2026-04-08 |
| IPv4 | 192.64.119.249 | 2026-04-08 | 2026-04-08 |
| IPv4 | 67.223.118.116 | 2026-04-08 | 2026-04-08 |
| IPv4 | 66.29.132.149 | 2026-04-08 | 2026-04-08 |
| IPv4 | 192.64.119.22 | 2026-04-08 | 2026-04-08 |
| IPv4 | 68.65.123.168 | 2026-04-08 | 2026-04-08 |
| IPv4 | 198.54.116.40 | 2026-04-08 | 2026-04-08 |
| IPv4 | 68.65.123.50 | 2026-04-08 | 2026-04-08 |
| IPv4 | 172.86.91.195 | 2026-04-08 | 2026-04-08 |
| IPv4 | 162.255.119.223 | 2026-04-08 | 2026-04-08 |
| IPv4 | 68.65.123.117 | 2026-04-08 | 2026-04-08 |
| IPv4 | 162.213.255.41 | 2026-04-08 | 2026-04-08 |
| IPv4 | 162.255.119.19 | 2026-04-08 | 2026-04-08 |
| IPv4 | 84.32.84.157 | 2026-04-08 | 2026-04-08 |
| IPv4 | 132.148.217.168 | 2026-04-08 | 2026-04-08 |
| IPv4 | 68.65.121.248 | 2026-04-08 | 2026-04-08 |
| IPv4 | 199.188.205.45 | 2026-04-08 | 2026-04-08 |
| IPv4 | 66.29.153.159 | 2026-04-08 | 2026-04-08 |
| IPv4 | 162.255.119.184 | 2026-04-08 | 2026-04-08 |
| IPv4 | 192.64.119.167 | 2026-04-08 | 2026-04-08 |
| IPv4 | 162.255.119.192 | 2026-04-08 | 2026-04-08 |
| IPv4 | 162.255.119.204 | 2026-04-08 | 2026-04-08 |
| IPv4 | 68.65.122.191 | 2026-04-08 | 2026-04-08 |
| IPv4 | 162.255.119.153 | 2026-04-08 | 2026-04-08 |
| IPv4 | 192.64.119.5 | 2026-04-08 | 2026-04-08 |
| IPv4 | 162.255.119.45 | 2026-04-08 | 2026-04-08 |
| IPv4 | 198.54.114.236 | 2026-04-08 | 2026-04-08 |
| IPv4 | 69.57.162.186 | 2026-04-08 | 2026-04-08 |
| IPv4 | 68.65.121.244 | 2026-04-08 | 2026-04-08 |
| IPv4 | 192.64.119.93 | 2026-04-08 | 2026-04-08 |
| IPv4 | 64.187.97.203 | 2026-04-08 | 2026-04-08 |
| IPv4 | 68.65.121.187 | 2026-04-08 | 2026-04-08 |
| IPv4 | 83.136.208.87 | 2026-04-08 | 2026-04-08 |
| IPv4 | 68.65.121.250 | 2026-04-08 | 2026-04-08 |
| IPv4 | 198.54.120.79 | 2026-04-08 | 2026-04-08 |
| IPv4 | 107.180.119.82 | 2026-04-08 | 2026-04-08 |
| IPv4 | 162.255.119.134 | 2026-04-08 | 2026-04-08 |
| IPv4 | 68.65.123.178 | 2026-04-08 | 2026-04-08 |
| IPv4 | 68.65.123.163 | 2026-04-08 | 2026-04-08 |
| IPv4 | 198.54.115.40 | 2026-04-08 | 2026-04-08 |
| IPv4 | 2.57.91.62 | 2026-04-08 | 2026-04-08 |
| IPv4 | 192.64.119.88 | 2026-04-08 | 2026-04-08 |
| IPv4 | 192.64.119.40 | 2026-04-08 | 2026-04-08 |
| IPv4 | 66.29.141.6 | 2026-04-08 | 2026-04-08 |
| IPv4 | 83.136.210.29 | 2026-04-08 | 2026-04-08 |
| IPv4 | 184.94.213.200 | 2026-04-08 | 2026-04-08 |
| IPv4 | 84.32.84.32 | 2026-04-08 | 2026-04-08 |
| IPv4 | 192.64.119.220 | 2026-04-08 | 2026-04-08 |
| IPv4 | 141.136.43.165 | 2026-04-08 | 2026-04-08 |
| IPv4 | 162.255.119.35 | 2026-04-08 | 2026-04-08 |
| IPv4 | 199.188.200.43 | 2026-04-08 | 2026-04-08 |
| IPv4 | 68.65.123.193 | 2026-04-08 | 2026-04-08 |
| IPv4 | 198.54.116.166 | 2026-04-08 | 2026-04-08 |
| IPv4 | 162.255.119.95 | 2026-04-08 | 2026-04-08 |
| IPv4 | 66.29.141.223 | 2026-04-08 | 2026-04-08 |
| IPv4 | 66.29.153.158 | 2026-04-08 | 2026-04-08 |
| IPv4 | 192.64.119.144 | 2026-04-08 | 2026-04-08 |
| IPv4 | 162.0.215.196 | 2026-04-08 | 2026-04-08 |
| IPv4 | 198.54.115.166 | 2026-04-08 | 2026-04-08 |
| IPv4 | 198.187.29.26 | 2026-04-08 | 2026-04-08 |
| IPv4 | 68.65.122.242 | 2026-04-08 | 2026-04-08 |
| IPv4 | 68.65.123.75 | 2026-04-08 | 2026-04-08 |
| IPv4 | 148.72.73.98 | 2026-04-08 | 2026-04-08 |
| IPv4 | 192.64.119.29 | 2026-04-08 | 2026-04-08 |
| IPv4 | 198.54.115.108 | 2026-04-08 | 2026-04-08 |
| DOMAIN | onlivemeet.com | 2026-04-03 | 2026-04-08 |
| IPv4 | 69.57.162.193 | 2026-04-03 | 2026-04-08 |
| DOMAIN | onlivecall.com | 2026-04-01 | 2026-04-08 |
| IPv4 | 68.65.123.114 | 2026-04-01 | 2026-04-08 |
| IPv4 | 198.54.116.214 | 2026-02-26 | 2026-04-08 |
| IPv4 | 91.195.240.123 | 2025-09-19 | 2026-04-08 |
| IPv4 | 198.54.117.242 | 2025-06-23 | 2026-04-08 |
Related Actors
Related Reports
2026-04-18 •
80% Match
UNC1069: DPRK’s Deepfake-Driven Cyber Campaign Targeting Crypto and Software Supply Chains
Falcon Feeds
Shares tag: UNC1069 • Published within a month
Shares tag: UNC1069 • Shares 1 IOC • Published within a week
Shares tag: UNC1069 • Published within a week
2026-04-01 •
80% Match
#NPM
#UNC1069
#Axios
#T1140
#T1070.004
#T1071.001
#T1195.002
#T1059.007
#T1036
#T1059.004
#T1547.001
Shares tag: UNC1069 • Published within a week
2026-04-01 •
80% Match
North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack
Shares tag: UNC1069 • Published within a week
2026-05-29 •
70% Match
April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
SOCRadar
Shares tag: UNC1069