Security researchers have uncovered a new macOS-focused malware campaign linked to North Korea’s Lazarus Group, a threat actor long associated with major cryptocurrency thefts. The newly exposed toolkit, dubbed Mach-O Man, was designed to target executives, developers, and other high-value staff working in crypto, Web3, and fintech organizations, with a particular focus on Apple-heavy environments.
The findings were disclosed by Bitso’s Quetzal team in collaboration with sandbox platform ANY.RUN after they analyzed an operation they called “North Korea Safari.” According to the researchers, the campaign was publicly detailed on April 21, 2026, and it reflects Lazarus’ continued interest in compromising macOS users with access to sensitive credentials and digital assets.
Social engineering, not a software exploit
One of the most notable aspects of the campaign is that it does not rely on exploiting a software vulnerability. Instead, the attackers use carefully crafted social engineering to convince victims to compromise themselves. Researchers said the operators either hijack or impersonate Telegram accounts belonging to colleagues or contacts from crypto and Web3 circles. Victims are then sent urgent-looking invitations to meetings on Zoom, Microsoft Teams, or Google Meet.
Those links direct users to convincing fake websites, including domains such as update-teams.live and livemicrosft.com. Once the victim lands on the spoofed meeting page, they are shown a fake connection or access error and instructed to copy and paste a Terminal command to fix it. This tactic, commonly referred to as ClickFix, has been adapted here for macOS.
Because the command is executed manually by the user, Apple’s Gatekeeper protections may not stop the initial infection. That makes the technique especially dangerous in enterprise settings where users may already be accustomed to troubleshooting conferencing tools, developer software, or access permissions through the command line.
A four-stage malware chain built for credential theft
Quetzal said Mach-O Man is written in Go and compiled as native Mach-O binaries, allowing it to run on both Intel-based Macs and Apple Silicon devices. The toolkit operates in four stages and is engineered to collect browser credentials, access items stored in the macOS Keychain, and facilitate access to cryptocurrency-related accounts before removing traces of its activity.
The infection begins with an initial stager, identified as teamsSDK.bin, delivered via curl after the victim runs the Terminal command. That stager downloads a fake application bundle and applies an ad hoc code signature so the package appears more legitimate. The malware then prompts the user for their macOS password. Researchers noted an unusual design detail: the password dialog intentionally shakes on the first two attempts and only accepts the credential on the third, apparently to create a stronger illusion of authenticity.
Afterward, a profiling binary enumerates system details including the hostname, UUID, CPU information, operating system details, active processes, and browser extensions installed across Brave, Chrome, Firefox, Safari, Opera, and Vivaldi. According to the report, that profiling component contains a coding flaw that can trigger an infinite loop, causing noticeable CPU spikes. While unintended from the attacker’s perspective, that behavior could help defenders detect active infections.
Persistence and data exfiltration through Telegram
The next phase establishes persistence. A renamed file called Onedrive is placed in a hidden path inside a folder labeled “Antivirus Service”. The malware then registers a LaunchAgent named com.onedrive.launcher.plist so the payload executes automatically when the user logs in.
In the final stage, a data-stealing component known as macrasv2 gathers browser extension data, SQLite credential databases, and macOS Keychain items. The stolen data is compressed into a ZIP archive and exfiltrated using the Telegram Bot API. Researchers said they found the Telegram bot token exposed directly in the binary, calling it a serious operational security error. In practice, such a mistake could give defenders a chance to monitor, disrupt, or otherwise interfere with the exfiltration channel.
Quetzal also published SHA-256 hashes for the main components of the toolkit, along with network indicators tied to the IP addresses 172.86.113.102 and 144.172.114.220. These indicators are intended to help security teams identify or block activity associated with the campaign.
Part of a larger Lazarus pattern
The researchers linked Mach-O Man to Lazarus’ broader pattern of crypto-focused operations and noted similarities with previous large-scale thefts attributed to the group, including attacks on KelpDAO and Drift. They also observed signs that actors outside Lazarus may have used the same toolkit, suggesting the malware may have been shared or sold within a wider malicious ecosystem.
Lazarus, also tracked by some threat intelligence firms under the name Famous Chollima, has been blamed for stealing billions of dollars’ worth of cryptocurrency in recent years. The group has a documented history of targeting macOS users through malware families such as Applejeus and Rustbucket. In that context, Mach-O Man appears less like a one-off project and more like an evolution of a tested playbook: target trusted communication channels, exploit urgent business workflows, and focus on users with direct or indirect access to digital asset infrastructure.
What makes this campaign especially relevant for the crypto industry is its blend of technical simplicity and operational effectiveness. It lowers the barrier to compromising macOS systems by avoiding the need for a sophisticated exploit chain. Instead, it weaponizes trust, urgency, and routine workplace behavior. For crypto companies whose executives, engineers, and operations teams often handle wallets, credentials, admin dashboards, and exchange access from Apple devices, that threat model is particularly serious.
Defensive recommendations for crypto and fintech firms
The researchers urged security teams at cryptocurrency and fintech companies to audit LaunchAgents directories, look for suspicious OneDrive-related processes running from unusual file paths, and block outbound traffic to the Telegram Bot API where it is not operationally required. Those steps can help detect both persistence and data theft activity tied to Mach-O Man.
They also warned users never to paste Terminal commands copied from web pages or unsolicited meeting links. Any urgent invitation to join a conference call should be verified through an independent communication channel before action is taken. In environments with a large macOS fleet, especially those handling crypto custody, treasury operations, or wallet infrastructure, even a single successful infection could expose credentials with outsized downstream impact.
More broadly, the campaign is a reminder that endpoint security in crypto is no longer just about patching systems or protecting seed phrases. Attackers are increasingly targeting the professionals who operate the ecosystem itself. In the case of Mach-O Man, the path to compromise begins not with a zero-day, but with a fake calendar invite and a command pasted into Terminal.

