North Korea’s Lazarus Group deployed a four-stage macOS malware kit called ‘Mach-O Man’ targeting fintech executives and crypto developers through fake meeting invitations.
North Korea’s state-sponsored Lazarus Group has unleashed a newly identified modular macOS malware kit dubbed “Mach-O Man,” a sophisticated four-stage attack chain targeting fintech executives, crypto developers, and high-value enterprise users through fake meeting invitations and ClickFix social engineering lures. Analyzed by researchers at ANY.RUN, the Go-compiled kit runs as native Mach-O binaries compatible with both Intel and Apple Silicon Macs.
The attack begins with a deceptive social engineering technique: victims receive an urgent Telegram message from a compromised contact containing what appears to be a legitimate invitation to a Zoom, Microsoft Teams, or Google Meet session. The link redirects to a convincing fake collaboration platform that displays a simulated connection error, prompting the user to paste and execute a terminal command to “fix” the issue. That single command silently deploys the initial stager (teamsSDK.bin). Stage 2 profiles the host and collects comprehensive system data including browser extensions across Chrome, Firefox, Safari, Brave, Opera, and Vivaldi. Stage 3 establishes persistence by creating an “Antivirus Service” folder and installing a OneDrive-disguised LaunchAgent. Stage 4 harvests browser credentials, session cookies, SQLite data, and macOS Keychain entries, exfiltrating everything via the Telegram Bot API.
Despite the campaign’s sophistication, researchers identified notable operational security weaknesses. The operators exposed their Telegram bot token, allowing third parties to read messages and even identify the operator. Several modules contain faulty logic, including a profiler that enters an infinite loop repeatedly posting system data to the C2 server, potentially triggering resource exhaustion alerts.
Since 2017, Lazarus has accumulated approximately $6.7 billion in stolen crypto assets. Security teams should treat any unexpected terminal command prompt — even one embedded in a seemingly routine meeting workflow — as a high-confidence social engineering indicator and audit LaunchAgents for files masquerading as OneDrive or Antivirus Service directories.
Source: Cyber Security News — Lazarus Group Targets macOS Users With ‘Mach-O Man’ Malwar
