Key Takeaways:
- North Korea’s Lazarus Group deployed Mach-O Man malware targeting macOS users in crypto and fintech roles in April 2026.
- Bitso’s Quetzal Team confirmed the Go-compiled kit enables credential theft, Keychain access, and data exfiltration via four stages.
- Security researchers urged firms on April 22, 2026, to block Terminal-based ClickFix lures and audit LaunchAgents for Onedrive masquerading files.
Researchers Expose North Korean macOS Malware Targeting U.S. Crypto and Web3 Firms
Security researchers at Bitso’s Quetzal Team, working alongside the ANY.RUN sandbox platform, publicly disclosed the kit on April 21, 2026, after analyzing a campaign they named “North Korea’s Safari.” The team connected the kit to Lazarus’s recent large-scale crypto thefts, including attacks on KelpDAO and Drift, citing the group’s consistent targeting of high-value macOS users in Web3 and fintech roles.
Mach-O Man is written in Go and compiled as Mach-O binaries, making it native to both Intel and Apple Silicon machines. The kit runs in four distinct stages and is designed to harvest browser credentials, macOS Keychain entries, and crypto account access before deleting traces of itself.
The infection begins with social engineering, not a software exploit. Attackers compromise or impersonate Telegram accounts belonging to colleagues in Web3 and crypto circles. The target receives an urgent meeting invite for Zoom, Microsoft Teams, or Google Meet that links to a convincing fake site, such as update-teams.live or livemicrosft.com.
The fake site displays a simulated connection error and instructs the user to copy and paste a Terminal command to resolve it. This technique, known as Clickfix and adapted here for macOS, leads the user to execute the initial stager file, teamsSDK.bin, via curl. Because the user runs the command manually, macOS Gatekeeper does not block it.
The stager downloads a fake app bundle, applies ad-hoc code signing to make it appear legitimate, and prompts the user for their macOS password. The window shakes on the first two attempts and accepts the credential on the third, a deliberate design choice to build false trust.
From there, the researcher’s report, and other accounts say a profiler binary enumerates the machine’s hostname, UUID, CPU, operating system details, running processes, and browser extensions across Brave, Chrome, Firefox, Safari, Opera, and Vivaldi. Researchers noted the profiler contains a coding bug that creates an infinite loop, causing noticeable CPU spikes that can expose an active infection.
A persistence module then drops a renamed file called Onedrive into a hidden path under a folder labeled “Antivirus Service” and registers a Launchagent called com.onedrive.launcher.plist so it runs automatically at login.
The final stage, a stealer binary labeled macrasv2, collects browser extension data, SQLite credential databases, and Keychain items, compresses them into a zip file, and exfiltrates the package through the Telegram Bot API. Researchers found the Telegram bot token exposed in the binary, which they described as a major operational security failure that could allow defenders to monitor or disrupt the channel.
The Quetzal Team published SHA-256 hashes for all major components, along with network indicators pointing to IP addresses 172.86.113.102 and 144.172.114.220. Security researchers noted the kit has been observed in use by groups beyond Lazarus, suggesting the tooling has been shared or sold within the threat actor ecosystem.
Lazarus, also tracked as Famous Chollima by threat intelligence firms, has been attributed to billions of dollars in cryptocurrency theft over the past several years. The group’s prior macOS tools included Applejeus and Rustbucket. Mach-O Man follows the same target profile while lowering the technical barrier for macOS compromises.
Volo Protocol Loses $3.5 Million in Sui Blockchain Exploit, Blocks WBTC Bridge Attempt
Volo Protocol, a liquid staking and BTCFi platform on the Sui blockchain, confirmed a $3.5 million security exploit this week,…
Read Now
Volo Protocol Loses $3.5 Million in Sui Blockchain Exploit, Blocks WBTC Bridge Attempt
Volo Protocol, a liquid staking and BTCFi platform on the Sui blockchain, confirmed a $3.5 million security exploit this week,…
Read Now
Volo Protocol Loses $3.5 Million in Sui Blockchain Exploit, Blocks WBTC Bridge Attempt
Read Now
Volo Protocol, a liquid staking and BTCFi platform on the Sui blockchain, confirmed a $3.5 million security exploit this week,…
Security teams at crypto and fintech firms are advised to audit Launchagents directories, monitor for Onedrive processes running from unusual file paths, and block outbound Telegram Bot API traffic where it is not operationally required. Users should never paste Terminal commands copied from web pages or unsolicited meeting links.
Organizations running macOS fleets in Apple-heavy crypto environments should treat any urgent, unsolicited meeting link as a potential entry point until verified through a separate communication channel.