Lazarus Group Targets macOS Users with New Mach-O Man Malware Arsenal

New North Korean malware arsenal targets crypto ecosystem

North Korea-linked Lazarus Group has launched a widespread campaign using a new modular macOS malware toolkit dubbed Mach-O Man. Cybersecurity researcher Mauro Eldritch disclosed the threat and its distribution methods.

«Lazarus is back with a new macOS malware kit. Made up of multiple Mach-O binaries, we named it "Mach-O Man". It is being distributed via ClickFix in the crypto ecosystem to steal secrets» — Mauro Eldritch (@MauroEldritch), original post

According to Eldritch, the arsenal was developed by another North Korean hacking group known as Famous Chollima. The toolkit consists of native Mach-O binary files specifically crafted for Apple's ecosystem — a platform widely adopted by crypto and fintech companies.

How the ClickFix attack works

The malware is delivered through a social engineering technique called ClickFix. Attackers send victims an "urgent" video call invitation via Telegram, purportedly for a meeting on Zoom, Microsoft Teams, or Google Meet.

The link in the invitation redirects to a phishing site that instructs the user to copy and paste a simple command into their Mac terminal — ostensibly to "fix a connection issue." Once executed, the command grants attackers direct access to corporate systems, SaaS platforms, and financial resources. In most cases, the breach is discovered too late to prevent damage.

DeFi domain hijacking adds another attack vector

Cybersecurity researcher Vladimir S. highlighted several variations of the attack described by Eldritch. In some instances, Lazarus hackers have been observed hijacking DeFi project domains and replacing the websites with fake Cloudflare messages asking users to enter a command to "grant access."

«I also once seen a slightly different variation of the attack where the attackers hijacked the DeFi project's domain and replaced the website with a fake message from Cloudflare asking users to enter a command to grant access. A lot of people fell for it» — Vladimir S. | Officer's Notes (@officer_secret), original post

Why this matters

Lazarus Group is operating at an unprecedented pace. CertiK senior blockchain security researcher Natalie Newson noted that attacks on Kelp, Drift, and the release of the new macOS arsenal all occurred within a single month. She characterized the activity not as random hacks but as a state-sponsored financial operation running at institutional scale and tempo.

The threat extends beyond technical exploits. In April, an Ethereum Foundation fellow identified approximately 100 North Korean IT agents embedded within Web3 companies. An on-chain detective had previously uncovered a similar network of DPRK operatives in the crypto industry.

macOS users working in the crypto sector should exercise extreme caution when receiving unexpected video conference invitations, particularly through messaging apps, and should never paste unfamiliar commands into their terminal under any circumstances.