Security experts have raised alarms about a new campaign named “Mach-O Man” by the North Korean Lazarus Group, which converts standard business communications into conduits for credential theft and data loss. According to Natalie Newson, a senior blockchain security researcher at CertiK, who spoke with CoinDesk on Wednesday, this group has been actively targeting executives in fintech and cryptocurrency sectors, as well as high-value firms.
Since 2017, the Lazarus Group’s cumulative theft is estimated to exceed $6.7 billion. In just the past fortnight, hackers associated with North Korea have reportedly extracted over $500 million through exploits like Drift and KelpDAO. Newson emphasized that the crypto industry should regard Lazarus on par with how banks perceive nation-state cyber threats: a persistent and well-funded danger rather than merely another headline.
“Lazarus’s current threat level is heightened by their operational intensity,” remarked Newson. “KelpDAO, Drift, and now this new macOS malware kit have been part of their activities within a single month. This isn’t sporadic hacking; it’s akin to a state-backed financial initiative operating with the scale and velocity typical of institutional entities.”
North Korea has developed cryptocurrency theft into a lucrative national industry, with Mach-O Man being one of its latest innovations. While created by Lazarus, this tool is also in use by other cybercrime groups.
“A modular macOS malware kit devised by Lazarus’s notorious Chollima division, it leverages native Mach-O binaries for Apple environments where crypto and fintech are prevalent,” explained Newson. The delivery method employed is known as ClickFix, a social engineering tactic that misleads victims into pasting a command in their terminal to address a simulated connectivity issue.
Mauro Eldritch, the founder of threat intelligence firm BCA Ltd., noted that Lazarus sends executives “urgent” meeting invites via Telegram for Zoom, Microsoft Teams, or Google Meet calls. These links direct them to a convincingly fake website instructing them to copy and paste a command into their Mac’s terminal to “resolve a connection issue.” This action grants immediate access to corporate systems, SaaS platforms, and financial resources. By the time victims realize they’ve been compromised, it is often too late.
Vladimir S., a security threat researcher, pointed out on X that there are several variations of this attack, including instances where Lazarus hijacked domains of decentralized finance (DeFi) projects by substituting their websites with counterfeit Cloudflare messages demanding command entry for access.
“These deceptive ‘verification steps’ guide victims through keyboard shortcuts executing harmful commands,” stated Newson from CertiK. “The page appears legitimate, the instructions seem standard, and the victim triggers it themselves—making traditional security measures often ineffective in detecting it.”
Most victims may remain unaware of a breach until significant damage has occurred, by which time the malware has already self-erased. As Newson observed, “They might not know yet. If they do, identifying the specific variant involved is likely beyond their capacity.”