North Korea’s state-sponsored Lazarus Group has unleashed a newly identified, modular macOS malware kit dubbed “Mach-O Man” — a sophisticated, four-stage attack chain targeting fintech executives, cryptocurrency developers, and high-value enterprise users. The campaign leverages fake meeting invitations and social engineering lures to trick victims into compromising their own systems.
Analyzed by security researcher Mauro Eldritch in collaboration with ANY.RUN’s interactive sandbox platform, Mach-O Man is a Go-compiled malware kit built as native Mach-O binaries, making it fully compatible with both Intel and Apple Silicon Macs. The toolkit is attributed to Lazarus’s Chollima division and marks a significant escalation in the group’s targeting of Apple ecosystems.
The Social Engineering Entry Point: ClickFix
The attack begins not with a software exploit, but with a deceptively simple social engineering technique known as ClickFix. Victims — typically business leaders in Web3, fintech, or crypto circles — receive an urgent Telegram message from a compromised or impersonated contact, containing what appears to be a legitimate invitation to a Zoom, Microsoft Teams, or Google Meet session.
The link redirects to a convincing fake collaboration platform — such as update-teams[.]live or livemicrosft[.]com — that displays a simulated connection error, prompting the user to paste and execute a terminal command to “fix” the issue. That single command silently deploys teamsSDK.bin, the kit’s initial stager.
Four-Stage Attack Chain
Once execution begins, Mach-O Man operates across four distinct phases:
- Stage 1 — The Stager (teamsSDK.bin): Downloads a fake macOS application bundle impersonating Zoom, Teams, or Google Meet; applies an ad-hoc code signature to bypass macOS execution controls; prompts the victim for their password three times, with the window shaking on first two attempts to simulate authentication failure before silently harvesting credentials.
- Stage 2 — The Profiler (D1YrHRTg.bin): Registers the host with the C2 server and collects a comprehensive system profile — including hostname, CPU type, boot time, OS version, running processes, network configuration, and a full inventory of installed browser extensions across Chrome, Firefox, Safari, Brave, Opera, and Vivaldi.
- Stage 3 — Persistence (minst2.bin): Creates a folder named “Antivirus Service,” drops a binary disguised as OneDrive, and installs a LaunchAgent (
com.onedrive.launcher.plist) to ensure the malware kit re-executes on every login. - Stage 4 — The Exfiltrator: Targets browser-stored credentials, cryptocurrency wallet extensions, and session cookies. It also scans for crypto wallet files on disk and transmits everything back to the attacker’s command-and-control infrastructure.
Why macOS? Lazarus’s Evolving Target Profile
Since 2017, the Lazarus Group has accumulated approximately $6.7 billion in stolen cryptocurrency assets, and researchers have already linked over $500 million in recent exploits to this group. Historically, their macOS operations were less sophisticated than their Windows counterparts, but Mach-O Man represents a clear investment in cross-platform capability.
Apple Silicon Macs are now prevalent in fintech startups, crypto exchanges, and Web3 development environments — precisely the targets Lazarus seeks to compromise. By building native Mach-O binaries compiled with Go, the group ensures compatibility across the Mac fleet without requiring Rosetta translation or architecture-specific payloads.
Indicators of Compromise and Defensive Recommendations
Organizations and individuals in the cryptocurrency and fintech space should take the following steps to protect themselves:
- Be extremely cautious of unsolicited meeting invitations, especially those requiring terminal commands to “fix” connection issues — no legitimate collaboration platform asks users to run command-line instructions
- Inspect LaunchAgent plist files in
~/Library/LaunchAgents/for unexpected entries, particularly those referencing OneDrive outside of a legitimate Microsoft installation - Review browser extension lists for unknown entries that may have been installed without explicit user action
- Enable macOS System Integrity Protection (SIP) and Gatekeeper, and ensure firmware passwords are set on managed devices
- Monitor outbound network traffic for connections to unfamiliar domains, especially shortly after a user reports a “failed” video call
The discovery of Mach-O Man is a stark reminder that macOS is no longer a safe haven. As the platform gains market share among high-value targets, nation-state actors are investing the resources needed to compromise it at scale. Users should treat any unsolicited request to run terminal commands as an immediate red flag, regardless of how convincing the surrounding context appears.