North Korean state-run Lazarus Group is running a new campaign dubbed “Mach-O Man” that turns routine business communications into a direct path to credential theft and data loss, security experts warned Wednesday.
Natalie Newson, a senior blockchain security researcher at CertiK, told CoinDesk on Wednesday that the collective, with an estimated cumulative loot of $6.7 billion since 2017, is targeting fintech, cryptocurrency and other high-value executives and firms.
In the past two weeks alone, North Korean hackers have siphoned off more than $500 million from the exploits of Drift and KelpDAO in a sustained campaign. The crypto industry, he said, should begin to view Lazarus the same way banks view nation-state cyber actors: “as a persistent and well-funded threat, not just another news headline.”
“What makes Lazarus particularly dangerous at this time is his level of activity,” Newson said. “KelpDAO, Drift, and now a new macOS malware kit, all within the same month. This is not random hacking; this is a state-directed financial operation running at the scale and speed typical of institutions.”
North Korea has turned crypto theft into a lucrative national industry, he said, and Mach-O Man is the latest product of that process. While Lazarus created it, other cyber crime groups are also using it.
“This is a modular macOS malware kit created by the notorious Chollima division of Lazarus Group. It uses native Mac-O binaries tailored for the Apple environment where crypto and fintech operate,” she said.
Newson said the Mac-O Man uses a delivery method known as ClickFix. “It’s important to be clear because a lot of the coverage is mixing two different things,” he said. Clickfix is a social engineering technique where the victim is asked to paste a command into their terminal to fix a simulated connection problem.
According to Mauro Aldrich, security expert and founder of threat intelligence firm BCA Ltd., this works by Lazarus sending executives “instant” meeting invitations on Telegram for Zoom, Microsoft Teams or Google Meet calls.
The link leads to a fake, but reliable, website that instructs them to copy and paste a simple command into their Mac’s Terminal to “fix the connection problem.” In doing so, victims are granted immediate access to corporate systems, SaaS platforms, and financial resources. By the time they realize they have been exploited, it is usually too late.
There are many variations of this attack, security threat researcher Vladimir S. said on X. There are already cases where Lazarus attackers have hijacked the domains of decentralized finance (DeFi) projects with this new malware by replacing them with a fake message from Cloudflare, asking them to enter a command to grant access.
“These fake ‘verification steps’ guide victims through a keyboard shortcut that runs a harmful command,” Certic’s Newson said. “The page looks genuine, the instructions seem normal, and the victim initiates the action themselves – which is why traditional security controls often ignore it.”
Most victims of this hack will not realize that their security has been breached until damage is done, by which time, the malware will have already eradicated itself.
“They probably don’t know it yet,” he said. “If they do, they probably won’t recognize which variant has affected them.”