Security Alliance

From Safe Harbor protections to threat intel sharing to incident response coordination -- our programs exist because the community needed them and no one else was building them. Help us keep the working going: securityalliance.org/donate

The initial payload is a single .scpt (AppleScript) file - downloaded via a button in the fake meeting UI. The code is padded with benign-looking lines to obscure one malicious instruction. Executing it results in full machine compromise.

The fake meeting UI loads in-browser, visually identical to Zoom/Teams. The target cannot hear the call and is prompted to fix the audio - while the attacker simultaneously messages them, coaching them through the compromise in real time.

⚠️Advisory on DPRK (UNC1069) Fake Microsoft Teams and Zoom calls DPRK (UNC1069) is expanding beyond the crypto sector - we are publishing 164 IOCs and detailing their currently active social engineering approaches. radar.securityalliance.org/advisory-on-dp…

Report any suspicious activity to seal_tips_bot on Telegram. Your tip may save others from getting infected.

Active social engineering tactics: Reviving old conversations from previously compromised accounts (Telegram/LinkedIn). Partnership, investor, or job invitation calls originating from fake or impersonated company group chats (Slack). Often pre-scheduled through Calendly.

🚨 Multiple DPRK (UNC1069) Fake "Microsoft Teams" domains deployed on 2026-04-07 - Beware of impersonations and restarted conversations. micrusoft[.]us teams-meet[.]xyz teams-meet[.]us[.]com Check meeting destination URLs - apps like Telegram or Slack may disguise them.

Report any suspicious activity to seal_tips_bot on Telegram. Your tip may save others from getting infected.

Active social engineering tactics: Reviving old conversations from previously compromised accounts (Telegram/LinkedIn). Partnership, investor, or job invitation calls originating from fake or impersonated company group chats (Slack). Often pre-scheduled through Calendly.

🚨DPRK (UNC1069) Fake "Microsoft Teams" domain deployed at 2026-04-06T17:33:40.899Z uk05live[.]us Always inspect destination URLs. URL displayed in applications such as Telegram or Slack may not match the destination URL.

Security is foundational to Web3. 🔒 @_SEAL_Org is the leading team pushing that frontier forward and securing the future of our entire ecosystem. 🙌 We’re very proud to partner with SEAL and power their efforts with the tools needed to protect users at scale.

💫 Tech Partner Spotlight 💫 This month, we're recognizing @tenderlyapp for supporting @_SEAL_org with access to Developer Explorer, Debugger, and Virtual Testnets. Their contribution helps us investigate exploits for threat intel & conduct research + experiments across our initiatives. If your company wants to support our mission: SecurityAllance.org/donate

Report any suspicious activity to seal_tips_bot on Telegram. Your tip may save others from getting infected.

Active social engineering tactics: Reviving old conversations from previously compromised accounts (Telegram/LinkedIn). Partnership, investor, or job invitation calls originating from fake or impersonated company group chats (Slack). Often pre-scheduled through Calendly.

🚨 DPRK (UNC1069) Fake "Microsoft Teams" domain deployed at 2026-04-06T01:32:46.722Z onlivemeet[.]com Always inspect destination URLs. URL displayed in applications such as Telegram or Slack may not match the destination URL.

@adamthesalmon @RobAnon @BraveDeFi frameworks.securityalliance.org/certs/overview

@RobAnon I agree. I heard someone is building a cert and a checklist that they go through. I think @_SEAL_Org or @BraveDeFi is involved.

It’s time that we as an industry embrace a certain level of operational security standardization. DeFi systems need their SOC2/ISO equivalents. Know a few people who are CCSSA Certified - going to be reaching out to them about this. If you’re a DeFi founder and want to help put together a consortium to find and adopt a standard, drop me a DM

@duelinggalois @0x_RWA @RobAnon We've conducted gap analysis with 20+ protocols & formalized certification criteria, now in active pilots + in ongoing discussions with @NIST to align with existing standards. Want to get involved? Contact @isaacpatka.

@0x_RWA @RobAnon @_SEAL_Org I am not sure what the current status is after the request for comment, but it is a proposed standard that you can go read and make comments on as of the tweet.

6/ 🙏 Thanks to @LidoFinance for contributing battle-tested templates and practice insights that make incident response preparation practical & immediately implementable. 🔗 Start building/strengthening your response capabilities today: frameworks.securityalliance.org/incident-manag…

5/ Pre-built templates eliminate the most dangerous incident response pattern of starting from scratch every time. When your team can immediately copy proven templates and execute familiar procedures, response quality stays consistent even under extreme pressure.

Framework of the Month for April: Incident Response Template 🆕 Brand new framework launching today! The best time to build your incident response plan is before you need it. The second best time is right now. Pre-built assets and practiced procedures are the difference between recovery and catastrophe. (1/x)