North Korea’s state-run Lazarus Group is waging a new campaign known as “Mach-O Man” that turns common business communications into a direct path to credential theft and data loss, security experts warned Wednesday.
The collective, with an estimated cumulative haul of $6.7 billion since 2017, targets fintech, crypto and other high-value executives and companies, Natalie Newson, senior blockchain security researcher at CertiK, told CoinDesk on Wednesday.
In the past two weeks alone, North Korean hackers have siphoned off more than $500 million through Drift and KelpDAO exploits in what appears to be a sustained campaign. The crypto industry needs to start viewing Lazarus the same way banks view domestic cyber actors: “as a constant, well-funded threat, not just a news headline,” she said.
“What makes Lazarus particularly dangerous right now is his activity level,” Newson said. “KelpDAO, Drift, and now a new macOS malware kit, all in the same month. This is not a random hack; this is a state-run financial operation executed at a scale and speed typical of institutions.”
North Korea has turned cryptocurrency theft into a lucrative domestic industry, and Mach-O Man is just the latest product to emerge from that process, she said. Even though Lazarus created it, other cybercrime groups also use it.
“This is a modular macOS malware kit created by the infamous Chollima division of the Lazarus Group. It uses native Mach-O binaries tailored to Apple environments where crypto and fintech operate,” she said.
Newson said Mach-O Man uses a delivery method known as ClickFix. “It’s important to be clear because a lot of reporting confuses two separate things,” she noted. ClickFix is a social engineering technique in which the victim is asked to paste a command into their terminal to resolve a simulated connection problem.
It works by sending executives an “urgent” meeting invitation via Telegram for a Zoom call, Microsoft Teams or Google Meet, according to Mauro Eldritch, security expert and founder of threat intelligence firm BCA Ltd.
The link leads to a fake but convincing website that asks them to copy and paste a simple command into their Mac’s terminal to “fix a connection problem.” In doing so, victims provide immediate access to company systems, SaaS platforms, and financial resources. By the time they discover they have been exploited, it is usually too late.
There are several variations of this attack, said security threat researcher Vladimir S. on
“These fake ‘verification steps’ guide victims through keyboard shortcuts that execute a harmful command,” said Certik’s Newson. “The page looks real, the instructions look normal, and the victim initiates the action themselves – that’s why traditional security checks often miss it.”
Most victims of this hack will not realize that their security has been breached until the damage is done, after which the malware will also have erased itself.
“They probably don’t know it yet,” she said. “If they do, they probably won’t be able to identify which variant affected them.”
