Lazarus Deploys Mach-O Man Malware to Steal macOS Keychain Data From Crypto Targets

Lazarus Deploys Mach-O Man Malware to Steal macOS Keychain Data From Crypto Targets

N
News Editor 01
2026-07-08 14:40:17
Security researchers say Lazarus used fake meeting invites and Terminal-based social engineering to deploy a modular macOS malware kit aimed at crypto and fintech professionals.
LazarusmacOS securitycrypto malwareWeb3 securityfintech cybersecurity

North Korea-linked threat group Lazarus has been linked to a new macOS malware campaign targeting executives, developers, and other high-value personnel in the cryptocurrency and fintech sectors. The malware, dubbed Mach-O Man, was publicly detailed by Bitso’s Quetzal team in collaboration with sandbox platform ANY.RUN after researchers analyzed an operation they called “North Korean Safari.” The campaign appears designed to steal browser credentials, access macOS Keychain data, and compromise crypto-related accounts.

Social engineering, not software exploits

According to the researchers, the infection chain begins with impersonation and urgency rather than a vulnerability in macOS itself. Attackers reportedly compromised or spoofed Telegram accounts associated with trusted industry contacts and sent victims fake invitations to Zoom, Microsoft Teams, or Google Meet sessions. Those links directed targets to convincing imitation websites, including domains such as update-teams.live and livemicrosft.com.

Once on the fake page, victims were shown a fabricated connection error and instructed to copy and paste a Terminal command to fix the issue. This technique, often referred to as ClickFix, has been adapted here for macOS. Because the user manually executes the command, Apple’s Gatekeeper protections may be bypassed, giving the attackers a more reliable path into the system without relying on a software exploit chain.

A four-stage malware framework for theft and persistence

Researchers said Mach-O Man is written in Go and compiled as native Mach-O binaries, allowing it to run on both Intel-based Macs and Apple Silicon devices. The toolkit reportedly operates in four stages. In the opening phase, an initial stager known as teamsSDK.bin is downloaded via curl after the user executes the malicious Terminal command.

The stager then retrieves a fake application package, applies an ad hoc code signature so the file appears more legitimate, and prompts the victim for their macOS password. One notable design detail stood out in the report: the password prompt intentionally shakes and rejects the first two attempts before accepting the credential on the third try. Researchers said this behavior appears deliberate, likely intended to make the prompt feel more authentic and lower user suspicion.

From there, a profiling component collects a wide range of host data, including hostname, UUID, CPU details, operating system information, running processes, and installed browser extensions. The targeting footprint spans major browsers such as Brave, Chrome, Firefox, Safari, Opera, and Vivaldi. Investigators also found that the profiler contains a coding bug that can trigger an infinite loop, causing unusual CPU spikes. That implementation flaw may inadvertently help defenders spot infected machines.

In the persistence stage, the malware places a renamed file called Onedrive in a hidden path inside a folder labeled “Antivirus Service” and registers a LaunchAgent named com.onedrive.launcher.plist to ensure the payload runs automatically at login. In the final phase, a stealer module identified as macrasv2 collects data from browser extensions, SQLite credential databases, and Keychain entries, compresses the material into a zip archive, and exfiltrates it through the Telegram Bot API.

Operational clues and exposed infrastructure

Quetzal published the SHA-256 hashes of the malware’s primary components along with network indicators tied to the IP addresses 172.86.113.102 and 144.172.114.220. Researchers also discovered that the Telegram bot token used in the exfiltration process was exposed inside the binary itself. They described that as a serious operational security error, since it could potentially allow defenders to monitor, disrupt, or otherwise interfere with the attacker’s communications channel.

The report further noted that use of the toolkit has also been observed outside Lazarus-linked activity, raising the possibility that the malware has been shared or sold within a broader malicious ecosystem. That detail is significant because it suggests the threat may not remain limited to a single actor, even if Lazarus is believed to be the original source or a major operator behind the campaign.

Why crypto and Web3 firms are in focus

Lazarus has long been associated with major cryptocurrency thefts amounting to billions of dollars over recent years. Researchers linked this latest operation to the group’s continued emphasis on compromising high-value macOS users working in Web3 and fintech environments. The campaign was also discussed in the context of recent large-scale crypto thefts attributed to Lazarus, including incidents involving KelpDAO and Drift, according to the source material.

The choice of target profile is consistent with earlier Lazarus malware families for Apple devices, including Applejeus and Rustbucket. What makes Mach-O Man notable is not just its data-theft capability, but its apparent effort to reduce the technical barrier to compromise through user-driven execution and believable meeting lures. In other words, the attackers are leaning heavily on trust and workflow disruption rather than sophisticated zero-day exploitation.

Defensive recommendations for enterprises

Security teams at cryptocurrency exchanges, Web3 startups, and fintech firms were urged to review LaunchAgents directories, look for OneDrive-branded processes running from unusual file paths, and restrict outbound access to the Telegram Bot API when there is no operational need for it. Because the attack abuses common business tools and communication patterns, traditional user awareness controls may not be enough unless organizations explicitly warn staff about Terminal-based social engineering.

Researchers also advised users never to paste Terminal commands copied from websites or unsolicited meeting pages. Any urgent invitation received through Telegram or similar channels should be verified through an independent communication path before action is taken. For firms with large Apple device fleets, particularly those handling wallets, private infrastructure, treasury operations, or production code, the report suggests that meeting-link verification and macOS endpoint auditing should be treated as frontline controls rather than optional hygiene.

Overall, the disclosure underscores a broader trend in crypto-focused intrusions: attackers are refining social engineering to fit the operating systems and communication habits of their targets. In this case, the combination of fake collaboration tools, user-executed commands, stealthy persistence, and credential theft makes Mach-O Man a noteworthy threat for organizations relying on macOS in digital asset operations.

This article was originally published by Bit.Fan. For more cryptocurrency news and market insights, visit www.bit.fan.
300

Disclaimer:

The market information, project data, and third-party content displayed on this platform are for industry information sharing only and do not constitute any form of investment advice or return commitment.

Cryptocurrency trading carries high risks. Users should fully assess their risk tolerance and make independent decisions. All profits, losses, and legal responsibilities are borne by the users themselves.