Lazarus Group has become especially dangerous with new Mach-O Man attack: CertiK
North Korea's Lazarus Group has a new attack vector that allows it to exploit an apparently routine business call as a gateway into a target's systems.
Lazarus Group has become especially dangerous with new Mach-O Man attack: CertiK
North Korea’s Lazarus Group has a new attack vector that allows it to exploit an apparently routine business call as a gateway into a target’s systems.
Security expert warn crypto and fintech firms to be cautious of new malware that North Korean hackers and other cybercriminals are using. (Shutterstock)
What to know:
The North Korean Lazarus Group is running a new macOS-focused campaign dubbed “Mach-O Man” that targets executives at fintech, crypto and other high-value firms through routine business communications.
The operation uses a social engineering technique called ClickFix, luring victims to fake online meetings that instruct them to paste a command to fix an apparent communication problem into their Mac terminal, granting attackers access to corporate and financial systems.
Researchers say Mach-O Man is a modular malware kit already used beyond Lazarus, and often erases itself before victims realize they have been compromised, making incidents hard to detect or trace.
In the past two weeks alone, the North Korean hackers have siphoned more than $500 million from the Drift and KelpDAO exploits in what appears to be a sustained campaign. The crypto industry needs to start viewing Lazarus the same way banks view nation-state cyber actors: “as a constant and well-funded threat, not just another news headline,” she said.
“What makes Lazarus especially dangerous right now is their activity level,” Newson said. “KelpDAO, Drift, and now a new macOS malware kit, all within the same month. This isn’t random hacking; it’s a state-directed financial operation running at a scale and speed typical of institutions.”
North Korea has turned crypto theft into a lucrative national industry, and Mach-O Man is just the latest product from that process, she said. While Lazarus created it, other cybercrime groups are also using it.
“It is a modular macOS malware kit created by Lazarus Group’s infamous Chollima division. It uses native Mach-O binaries tailored for Apple environments where crypto and fintech operate,” she said.
Newson said Mach-O Man uses a delivery method known as ClickFix. “It’s important to be clear because a lot of coverage is mixing up two separate things,” she noted. ClickFix is a social engineering technique where the victim is asked to paste a command into their terminal to fix a simulated connection issue.
It works by Lazarus sending executives an “urgent” meeting invite over Telegram for a Zoom, Microsoft Teams or Google Meet call, according to Mauro Eldritch, a security expert and founder of threat intelligence firm BCA Ltd.
The link leads to a fake, but convincing, website that instructs them to copy and paste one simple command into their Mac’s terminal to “fix a connection issue.” In doing so, the victims provide immediate access to corporate systems, SaaS platforms and financial resources. By the time they find out they were exploited, it is usually too late.
There are several variations of this attack, security threat researcher Vladimir S. said on X. There are already cases where Lazarus attackers have hijacked decentralized finance (DeFI) projects’ domains with this new malware by replacing their websites with a fake message from Cloudflare, asking them to enter a command to grant access.
“These fake ‘verification steps’ guide victims through keyboard shortcuts that run a harmful command,” said Certik’s Newson. “The page looks real, the instructions seem normal, and the victim initiates the action themselves — which is why traditional security controls often miss it.”
Most victims of this hack will not realize their security has been breached until the damage has been done, at which time, the malware will have already erased itself as well.
“They likely don’t know it yet,” she said. “If they do, they probably can’t identify which variant affected them.”
The 50-page paper concludes that while today’s blockchains remain secure, a future “fault-tolerant quantum computer” capable of breaking widely used encryption is increasingly plausible, and preparation must begin now.
What to know:
A Coinbase-backed report warns that while quantum computers aren’t an immediate threat to crypto, the industry must start preparing now for a future where they could break current encryption.
Although post-quantum solutions exist, switching will be complex and costly, pushing major crypto ecosystems like Ethereum and Solana to begin exploring…
