Security researchers have identified a new macOS malware campaign linked to the North Korea-based Lazarus Group targeting crypto and fintech firms.
The 'Mach-O Man' malware kit utilizes 'ClickFix' social engineering tactics to infiltrate corporate systems, according to a report by Cointelegraph.
Attackers lure victims through fraudulent Zoom or Google Meet invitations. Once users join the fake calls, they are prompted to execute specific commands that download the malware in the background.
This method allows the attackers to bypass traditional security controls without detection. According to Mauro Eldritch, offensive security expert and founder of threat intelligence company BCA Ltd, the scheme targets both traditional businesses and crypto companies.
Data exfiltration via Telegram
The final stage of the campaign involves a specialized stealer designed to harvest sensitive information from infected devices.
The malware targets browser extension data, stored credentials, cookies, and macOS Keychain entries. Once this data is collected, the kit archives it into a zip file for extraction.
Attackers use Telegram to exfiltrate the stolen data back to their servers. After the theft is complete, a self-deletion script uses the system's 'rm' command to remove the malware kit, bypassing user confirmation and permissions.
Researchers warn that the campaign can lead to account takeovers, unauthorized infrastructure access, and significant financial losses. The group's expansion into macOS targeting suggests a shift beyond purely crypto-native targets.
The Lazarus Group is already linked to major industry thefts, including the $1.4 billion hack of the Bybit exchange in 2025. Recent reports also indicate the group has utilized AI-enabled social engineering to steal funds from the crypto sector.
