A new macOS malware campaign from North Korea's Lazarus Group turns routine business calls into a gateway for stealing millions from crypto and fintech firms.
Back
Back
Lazarus Group deploys new Mac malware after stealing $500 million
North Korean state-sponsored hackers from the Lazarus Group are deploying a new multi-stage malware for macOS called “Mach-O Man,” targeting executives in the crypto and fintech sectors. The campaign, identified in mid-April 2026, has already been linked to the group responsible for over $500 million in cryptocurrency thefts in the past month alone.
“What makes Lazarus especially dangerous right now is their activity level,” Natalie Newson, a senior blockchain security researcher at CertiK, told CoinDesk. “This isn’t random hacking; it’s a state-directed financial operation running at a scale and speed typical of institutions.”
The attack uses a social engineering technique dubbed “ClickFix,” luring victims on Telegram into fake Zoom or Google Meet calls. A fraudulent error message then prompts the user to paste a command into their Mac’s terminal, which installs the malware while bypassing native security controls. The final payload, Macrasv2, exfiltrates browser data, cookies, and sensitive macOS Keychain entries via a Telegram bot.
The campaign significantly raises the operational security risk for crypto projects, where compromised developer or executive credentials can lead to catastrophic losses, as seen in the recent $292 million KelpDAO and $285 million Drift exploits. The malware’s modular nature and use by other cybercrime groups suggest its threat will likely expand, forcing companies to defend against attacks that originate from their own employees’ trusted actions.
How the 'Mach-O Man' Attack Bypasses macOS Security
The primary innovation of the Mach-O Man campaign is its reliance on social engineering to circumvent Apple’s built-in security features. The attack begins when a target receives an urgent meeting invite on a platform like Telegram, seemingly from a trusted colleague, for a call on Zoom, Microsoft Teams, or Google Meet.
The link directs to a convincing but fake webpage that simulates a connection problem. To “solve” the issue, the site instructs the user to copy and paste a line of code into their Mac’s Terminal application. Because the user initiates the command themselves, macOS security features like Gatekeeper, which normally block unverified applications, are bypassed.
Upon execution, the command downloads an initial binary named teamsSDK.bin. The malware then downloads a fake app bundle and repeatedly asks the victim for their password with poorly translated but authentic-looking system prompts, ensuring it gains the permissions it needs.
A Self-Destructing Thief Leaves Few Traces
The malware operates in four distinct stages. After the initial infection, a profiler module collects system information—including hostname, CPU details, and network configuration—and registers the victim with the attackers’ command-and-control (C2) server.
Next, a persistence module named minst2.bin ensures the malware survives a reboot. It drops a LaunchAgent plist file, com.onedrive.launcher.plist, which relaunches the malware at every login by masquerading as a legitimate “OneDrive” or “Antivirus Service” process.
The final stage is the stealer itself, a payload identified as Macrasv2. This component is designed to extract data from browser extensions for Chrome, Firefox, Safari, Brave, and others. It targets stored credentials, cookies from SQLite databases, and sensitive entries in the macOS Keychain. Once collected, the data is compressed and exfiltrated using the Telegram bot API before the malware deletes most traces of itself from the system.
Hackers Get Hacked
In a notable turn of events, the attackers’ own operational security proved inadequate. Mauro Eldritch, founder of threat intelligence firm BCA Ltd., discovered two critical vulnerabilities in the Lazarus Group’s C2 infrastructure.
According to a report from Eldritch, the malware’s code exposed the API token for the Telegram bot used for data exfiltration. This key allowed researchers to identify the bot’s owner and disrupt its channels with spam. Furthermore, the C2 server had a flaw that allowed unrestricted file uploads, enabling researchers to flood the attackers’ infrastructure with junk data and effectively cause an outage. While this provided a temporary setback for the hackers, the Mach-O Man malware kit remains an active and evolving threat.
This article is for informational purposes only and does not constitute investment advice.
[1] North Korea’s Lazarus Group targets crypto, high-value execs with ‘Mach-O Man’ macOS malware kit[2] Lazarus Group has become especially dangerous with new Mach-O Man attack: CertiK[3] Lazarus-linked macOS malware hits crypto and fintech firms[4] North Korean hackers build “shiny new” macOS malware, but get hacked themselves
Features
Resources
© 2026 Finture Development Limited. All rights reserved