- Lazarus Group Mach-O Man campaign targets crypto and fintech executives with fake meeting links.
- Victims paste a Mac Terminal command that opens access to systems, SaaS accounts, and funds.
- CertiK linked related attacks to over $500M in two weeks, while lifetime loot hit $6.7B.
Security experts warned Wednesday that North Korea’s state-backed Lazarus Group has launched a new “Mach-O Man” campaign aimed at crypto, fintech, and other high-value executives. According to reports, the operation uses Telegram messages, fake meeting pages, and a copied Terminal command on macOS to steal credentials, browser sessions, and Keychain data.
Researchers said the toolkit can erase itself after an attack, reducing visibility for detection tools and complicating efforts to trace the breach. SlowMist Chief Information Security Officer 23pds warned on X that the Lazarus Group’s newly released “Mach-O Man” campaign poses fresh risks, urging both individuals and organizations to stay vigilant.
A Chainanalysis report estimated the collective’s cumulative loot at $6.7 billion since 2017, while CertiK linked recent related attacks to more than $500 million. Those incidents involved Drift and KelpDAO exploits during the past two weeks, according to reports.
How the ‘Mach-O Man’ Campaign Works
According to Mauro Eldritch, founder of threat intelligence firm BCA Ltd., the attackers send executives an urgent meeting invite over Telegram. The message directs targets to a fake Zoom, Microsoft Teams, or Google Meet page that claims a simple Terminal command will fix a connection issue.
However, when victims paste the command, they hand over access to corporate systems, SaaS platforms, and financial resources. CertiK researchers said the malware is a modular macOS toolkit that can self-delete after the attack.
That feature can delay discovery and make it harder for victims to identify the variant used against them. In many cases, victims may not realize they have been compromised until the attackers have already caused significant damage.
What the Attackers Want
Based on Mauro’s report, the attackers appear to be after credentials, browser sessions, and macOS Keychain data that could provide access to infrastructure and financial assets. Telegram is also used as a trusted exfiltration channel, allowing sensitive information to be moved outside an organization with less suspicion.
Together, these tactics can result in account takeovers, unauthorized access to internal systems, financial losses, and exposure of critical data. Notably, the campaign relies heavily on social engineering and native macOS binaries, a combination that can reduce visibility for traditional endpoint detection and response tools.
For chief information security officers, the warning is clear: a single compromised macOS device could provide a gateway into internal systems, production environments, or even crypto asset holdings.
Scale of the Threat
CertiK researcher Natalie Newson told CoinDesk that the crypto industry should treat Lazarus Group as a persistent, well-funded threat from a nation-state. She said KelpDAO, Drift, and the new macOS toolkit appeared in the same month, showing sustained activity rather than isolated incidents. She described the pattern as a state-directed financial operation running at an institutional scale and speed.
CertiK researcher Natalie Newson told CoinDesk:
Related: KelpDAO Hacker Moves Stolen ETH, Funds Routed to Tron via LayerZer
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
Source: https://coinedition.com/lazarus-group-deploys-new-macos-malware-toolkit-in-crypto-exec-hunt/
