Lazarus Group has become especially dangerous with new Mach-O Man attack: CertiK

North Korea's Lazarus Group has a new attack vector that allows it to exploit an apparently routine business call as a gateway into a target's systems.

What to know:

• The North Korean Lazarus Group is running a new macOS-focused campaign dubbed “Mach-O Man” that targets executives at fintech, crypto and other high-value firms through routine business communications.
• The operation uses a social engineering technique called ClickFix, luring victims to fake online meetings that instruct them to paste a command to fix an apparent communication problem into their Mac terminal, granting attackers access to corporate and financial systems.
• Researchers say Mach-O Man is a modular malware kit already used beyond Lazarus, and often erases itself before victims realize they have been compromised, making incidents hard to detect or trace.

In this article

BTCBTC$78,304.24◢2.99%

The North Korean state-run Lazarus Group is running a new campaign known as “Mach-O Man” that turns routine business communication into a direct path to credential theft and data loss, security experts warned Wednesday.

The collective, with cumulative loot estimated at $6.7 billion since 2017, is targeting fintech, cryptocurrency and other high-value executives and firms, Natalie Newson, a senior blockchain security researcher at CertiK, told CoinDesk on Wednesday.

In the past two weeks alone, the North Korean hackers have siphoned more than $500 million from the Drift and KelpDAO exploits in what appears to be a sustained campaign. The crypto industry needs to start viewing Lazarus the same way banks view nation-state cyber actors: “as a constant and well-funded threat, not just another news headline," she said.

"What makes Lazarus especially dangerous right now is their activity level,” Newson said. “KelpDAO, Drift, and now a new macOS malware kit, all within the same month. This isn’t random hacking; it’s a state-directed financial operation running at a scale and speed typical of institutions.”

North Korea has turned crypto theft into a lucrative national industry, and Mach-O Man is just the latest product from that process, she said. While Lazarus created it, other cybercrime groups are also using it.

“It is a modular macOS malware kit created by Lazarus Group’s infamous Chollima division. It uses native Mach-O binaries tailored for Apple environments where crypto and fintech operate,” she said.

Newson said Mach-O Man uses a delivery method known as ClickFix. “It's important to be clear because a lot of coverage is mixing up two separate things,” she noted. ClickFix is a social engineering technique where the victim is asked to paste a command into their terminal to fix a simulated connection issue.

It works by Lazarus sending executives an “urgent” meeting invite over Telegram for a Zoom, Microsoft Teams or Google Meet call, according to Mauro Eldritch, a security expert and founder of threat intelligence firm BCA Ltd.

The link leads to a fake, but convincing, website that instructs them to copy and paste one simple command into their Mac’s terminal to "fix a connection issue." In doing so, the victims provide immediate access to corporate systems, SaaS platforms and financial resources. By the time they find out they were exploited, it is usually too late.

There are several variations of this attack, security threat researcher Vladimir S. said on X. There are already cases where Lazarus attackers have hijacked decentralized finance (DeFI) projects’ domains with this new malware by replacing their websites with a fake message from Cloudflare, asking them to enter a command to grant access.

"These fake 'verification steps' guide victims through keyboard shortcuts that run a harmful command," said Certik's Newson. "The page looks real, the instructions seem normal, and the victim initiates the action themselves — which is why traditional security controls often miss it.”

Most victims of this hack will not realize their security has been breached until the damage has been done, at which time, the malware will have already erased itself as well.

“They likely don’t know it yet," she said. "If they do, they probably can’t identify which variant affected them.”

More For You

The 50-page paper concludes that while today’s blockchains remain secure, a future “fault-tolerant quantum computer” capable of breaking widely used encryption is increasingly plausible, and preparation must begin now.

What to know:

• A Coinbase-backed report warns that while quantum computers aren’t an immediate threat to crypto, the industry must start preparing now for a future where they could break current encryption.
• Although post-quantum solutions exist, switching will be complex and costly, pushing major crypto ecosystems like Ethereum and Solana to begin exploring...

Kraken filed 56 million crypto tax forms for 2025. One-third were below $1

16 minutes ago

The signal bitcoin momentum traders have been waiting for is here

1 hour ago

Bitcoin tests $78,000 resistance as short-squeeze risks mount, altcoins rally

2 hours ago

Flight to safety: How Maker’s Spark and USDC are winning the $10 billion Aave breakup

3 hours ago

Traders don’t see Kelp socializing losses after $292 million exploit

3 hours ago

A make or break moment: why $79,200 could act as a launchpad or a ceiling for bitcoin

4 hours ago

Tron's Justin Sun sues Trump-linked World Liberty Financial over frozen assets

7 hours ago

Another DeFi protocol loses millions in hack days after KelpDAO breach

5 hours ago

Bitcoin's 'Coinbase premium' just posted its longest bullish streak since October's record high of $126,000

6 hours ago