The North Korean state-run Lazarus Group is running a new campaign known as “Mach-O Man” that turns routine business communication into a direct path to credential theft and data loss, security experts warned Wednesday.
The collective, with cumulative loot estimated at $6.7 billion since 2017, is targeting fintech, cryptocurrency and other high-value executives and firms, Natalie Newson, a senior blockchain security researcher at CertiK, told CoinDesk on Wednesday.
In the past two weeks alone, the North Korean hackers have siphoned more than $500 million from the Drift and KelpDAO exploits in what appears to be a sustained campaign. The crypto industry needs to start viewing Lazarus the same way banks view nation-state cyber actors: “as a constant and well-funded threat, not just another news headline,” she said.
“What makes Lazarus especially dangerous right now is their activity level,” Newson said. “KelpDAO, Drift, and now a new macOS malware kit, all within the same month. This isn’t random hacking; it’s a state-directed financial operation running at a scale and speed typical of institutions.”
North Korea has turned crypto theft into a lucrative national industry, and Mach-O Man is just the latest product from that process, she said. While Lazarus created it, other cybercrime groups are also using it.
“It is a modular macOS malware kit created by Lazarus Group’s infamous Chollima division. It uses native Mach-O binaries tailored for Apple environments where crypto and fintech operate,” she said.
Newson said Mach-O Man uses a delivery method known as ClickFix. “It’s important to be clear because a lot of coverage is mixing up two separate things,” she noted. ClickFix is a social engineering technique where the victim is asked to paste a command into their terminal to fix a simulated connection issue.
It works by Lazarus sending executives an “urgent” meeting invite over Telegram for a Zoom, Microsoft Teams or Google Meet call, according to Mauro Eldritch, a security expert and founder of threat intelligence firm BCA Ltd.
The link leads to a fake, but convincing, website that instructs them to copy and paste one simple command into their Mac’s terminal to “fix a connection issue.” In doing so, the victims provide immediate access to corporate systems, SaaS platforms and financial resources. By the time they find out they were exploited, it is usually too late.
There are several variations of this attack, security threat researcher Vladimir S. said on X. There are already cases where Lazarus attackers have hijacked decentralized finance (DeFI) projects’ domains with this new malware by replacing their websites with a fake message from Cloudflare, asking them to enter a command to grant access.
“These fake ‘verification steps’ guide victims through keyboard shortcuts that run a harmful command,” said Certik’s Newson. “The page looks real, the instructions seem normal, and the victim initiates the action themselves — which is why traditional security controls often miss it.”
Most victims of this hack will not realize their security has been breached until the damage has been done, at which time, the malware will have already erased itself as well.
“They likely don’t know it yet,” she said. “If they do, they probably can’t identify which variant affected them.”