BIGMACHO
BIGMACHO is a backdoor used in social-engineering campaigns attributed to the North Korea-linked threat actor UNC1069, also tracked as CryptoCore and MASAN. Google Threat Intelligence Group and Mandiant reported that UNC1069 targeted the cryptocurrency and broader Web3 sector, including centralized exchanges, software developers at financial institutions, high-technology companies, and individuals at venture capital funds, with the apparent objective of financial theft.
Observed delivery relied on impersonation and fake meeting workflows. UNC1069 approached victims on Telegram, sometimes using compromised accounts of legitimate entrepreneurs or startup founders and posing as venture capitalists or cryptocurrency executives. Victims were directed through Calendly scheduling to a fake Zoom meeting site, including the domain zoom.uswe05[.]us, where deepfake or reused video content was shown to simulate a live call. In the reported campaigns, BIGMACHO was distributed by masquerading as a Zoom software development kit (SDK). One campaign specifically used AI-generated deepfake videos impersonating cryptocurrency executives to lure victims into downloading the malicious Zoom SDK, which deployed the BIGMACHO backdoor.
High-confidence reporting in the provided content identifies BIGMACHO as a backdoor associated with UNC1069’s crypto-focused intrusion activity. The content does not provide additional technical details on BIGMACHO’s internal functionality, persistence, or command-and-control behavior beyond its classification as a backdoor and its delivery via the fake Zoom SDK lure.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
GTIG said it recently observed UNC1069 employing deepfake images and video lures ... to distribute a backdoor called BIGMACHO to victim systems under the guise of a Zoom software development kit (SDK).
...distribute a backdoor called BIGMACHO to victims by passing it off as a Zoom software development kit (SDK).
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor delivered via social-engineering lures masquerading as a Zoom SDK, used to compromise victims in cryptocurrency-related targeting.
BIGMACHO is a backdoor deployed via a malicious Zoom SDK, distributed through social engineering campaigns involving AI-generated deepfake videos. It is used by North Korean threat actors for post-exploitation access.
Backdoor distributed via social engineering lures (including deepfakes) masquerading as a Zoom SDK, attributed in the report to UNC1069 activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.