Security Alliance

From Safe Harbor protections to threat intel sharing to incident response coordination -- our programs exist because the community needed them and no one else was building them. Help us keep the working going: securityalliance.org/donate

@ConsensysAudits @coingecko

@coingecko @_SEAL_Org

Project you believe in?

SEAL exists because security experts chose to share knowledge instead of hoarding it. Your donation keeps that infrastructure running: securityalliance.org/donate

--> safeharbor.securityalliance.org

Read our latest advisory on the topic. Share it within your company to stay up to date with currently active tactics, techniques and procedures in relation to DPRK (UNC1069). x.com/_SEAL_Org/stat…

🚨 Multiple DPRK (UNC1069) Fake "Microsoft Teams" domains deployed on 2026-04-08 - Beware of impersonations and restarted conversations. live05ms[.]us miscruft[.]us Currently active campaigns! Check meeting destination URLs - apps like Telegram or Slack may disguise them.

The initial payload is a single .scpt (AppleScript) file - downloaded via a button in the fake meeting UI. The code is padded with benign-looking lines to obscure one malicious instruction. Executing it results in full machine compromise.

The fake meeting UI loads in-browser, visually identical to Zoom/Teams. The target cannot hear the call and is prompted to fix the audio - while the attacker simultaneously messages them, coaching them through the compromise in real time.

⚠️Advisory on DPRK (UNC1069) Fake Microsoft Teams and Zoom calls DPRK (UNC1069) is expanding beyond the crypto sector - we are publishing 164 IOCs and detailing their currently active social engineering approaches. radar.securityalliance.org/advisory-on-dp…

Report any suspicious activity to seal_tips_bot on Telegram. Your tip may save others from getting infected.

Active social engineering tactics: Reviving old conversations from previously compromised accounts (Telegram/LinkedIn). Partnership, investor, or job invitation calls originating from fake or impersonated company group chats (Slack). Often pre-scheduled through Calendly.

🚨 Multiple DPRK (UNC1069) Fake "Microsoft Teams" domains deployed on 2026-04-07 - Beware of impersonations and restarted conversations. micrusoft[.]us teams-meet[.]xyz teams-meet[.]us[.]com Check meeting destination URLs - apps like Telegram or Slack may disguise them.

Report any suspicious activity to seal_tips_bot on Telegram. Your tip may save others from getting infected.

Active social engineering tactics: Reviving old conversations from previously compromised accounts (Telegram/LinkedIn). Partnership, investor, or job invitation calls originating from fake or impersonated company group chats (Slack). Often pre-scheduled through Calendly.

🚨DPRK (UNC1069) Fake "Microsoft Teams" domain deployed at 2026-04-06T17:33:40.899Z uk05live[.]us Always inspect destination URLs. URL displayed in applications such as Telegram or Slack may not match the destination URL.

Security is foundational to Web3. 🔒 @_SEAL_Org is the leading team pushing that frontier forward and securing the future of our entire ecosystem. 🙌 We’re very proud to partner with SEAL and power their efforts with the tools needed to protect users at scale.

💫 Tech Partner Spotlight 💫 This month, we're recognizing @tenderlyapp for supporting @_SEAL_org with access to Developer Explorer, Debugger, and Virtual Testnets. Their contribution helps us investigate exploits for threat intel & conduct research + experiments across our initiatives. If your company wants to support our mission: SecurityAllance.org/donate

Report any suspicious activity to seal_tips_bot on Telegram. Your tip may save others from getting infected.

Active social engineering tactics: Reviving old conversations from previously compromised accounts (Telegram/LinkedIn). Partnership, investor, or job invitation calls originating from fake or impersonated company group chats (Slack). Often pre-scheduled through Calendly.

🚨 DPRK (UNC1069) Fake "Microsoft Teams" domain deployed at 2026-04-06T01:32:46.722Z onlivemeet[.]com Always inspect destination URLs. URL displayed in applications such as Telegram or Slack may not match the destination URL.