Mach-O Man malware has emerged in a Lazarus Group crypto campaign, targeting macOS Keychain data and raising serious concerns over user security. It highlights the increasing advancement of cyber threats and the need for stronger protection.
North Korea’s Lazarus Group has deployed a modular macOS malware kit called Mach-O Man that uses fake meeting invites to steal credentials and crypto wallet access from fintech executives and developers.
Security researchers at Bitso’s Quetzal Team, working alongside the ANY.RUN sandbox platform publicly disclosed the kit on April 21, 2026, after analyzing a campaign they named ‘North Korea’s Safari.’
The team connected the kit to Lazarus’s recent large-scale crypto thefts, including attacks on KelpDAO and Drift, citing the group’s consistent targeting of high-value macOS users in Web3 and fintech roles.
Mach-O Man is written in Go and compiled as Mach-O binaries, which makes it native to both Intel and Apple Silicon machines. The kit operates in four distinct stages and is designed to harvest browser credentials, macOS Keychain entries, and crypto account access before deleting its traces.
Attackers compromise or impersonate Telegram accounts belonging to colleagues in Web3 and crypto circles. The target receives an urgent meeting invite for Zoom, Microsoft Teams, or Google Meet that links to a convincing fake site, such as update-teams.live or livemicrosft.com.
The fake site displays a simulated connection error and instructs the user to copy and paste a Terminal command to resolve it. This technique, known as Clickfix and adapted here for macOS, leads the user to execute the initial stager file, according to the study.
The stager downloads a fake app bundle, applies ad-hoc code signing to make it appear legitimate, and prompts the user for their macOS password. The window shakes on the first two attempts and accepts the credential on the third. This is a deliberate design choice to build false trust.
Researchers noted the profiler contains a coding bug that creates an infinite loop. It causes noticeable CPU spikes that can expose an active infection.
Also Read: Crypto News Today: Amber Group Expands to UAE After Securing VARA Approval
Security teams at crypto and fintech firms are advised to audit LaunchAgents directories, monitor for OneDrive processes running from unusual file paths, and block outbound Telegram Bot API traffic when not operationally required. Users should never paste Terminal commands copied from web pages or unsolicited meeting links.
Organizations running macOS fleets in Apple-heavy crypto environments should treat any urgent, unsolicited meeting link as a potential entry point until verified through a separate communication channel.