North Korean threat actor group UNC1069 has intensified its focus on financial institutions, particularly in the cryptocurrency and decentralized finance sectors. They are employing advanced AI-driven social engineering tactics combined with a new malware arsenal to execute their attacks. Among the tools identified are DEEPBREATH, which steals sensitive data from macOS applications, and CHROMEPUSH, a browser extension that captures keystrokes and credentials by impersonating a Google Docs offline editor. The group's strategy has evolved from traditional spear-phishing to targeting Web3 entities, including centralized exchanges and venture capital firms. Mandiant's findings reveal that UNC1069 has deployed multiple malware families, with SUGARLOADER being the only previously known tool. Their approach now includes ClickFix attacks, utilizing fake error messages and CAPTCHA prompts to trick users into running malicious code. The scale and sophistication of their operations highlight a systematic effort to harvest sensitive information, such as credentials and session tokens, to facilitate cryptocurrency theft and further social engineering campaigns. Indicators of compromise linked to UNC1069 include various domains used for hosting malware and command-and-control communications. These domains have played key roles in initial infections and ongoing operations. As the group continues to refine its techniques, the threat to financial entities remains significant, underscoring the need for heightened vigilance in cybersecurity measures within these sectors.