In April 2026, the notorious North Korean hacking collective Lazarus Group escalated its macOS-targeted attacks with a new modular malware suite named Mach-O Man. Discovered by Bitso's Quetzal security team in collaboration with the ANY.RUN sandbox platform and disclosed on April 21, the campaign—codenamed “North Korea's Safari”—specifically targets executives and developers at U.S.-based Web3 and fintech companies.
Four-Stage Attack Chain: From Social Engineering to Data Exfiltration
Mach-O Man is written in Go and compiled as Mach-O binaries, making it native to both Intel and Apple Silicon architectures. The infection unfolds in four distinct stages. First, attackers compromise or impersonate Telegram accounts of colleagues within the target's Web3 or crypto network. The victim receives an urgent meeting invite (e.g., for Zoom, Microsoft Teams, or Google Meet) with a link to a convincing fake site such as update-teams.live or livemicrosft.com.
The fake page shows a simulated connection error and instructs the user to copy and paste a Terminal command to fix it—an adapted ClickFix technique for macOS. Because the command is manually executed by the user, macOS Gatekeeper does not block it. Stage one downloads a stager binary named teamsSDK.bin, which then installs a fraudulent application bundle. The bundle uses ad-hoc code signing to appear legitimate and prompts the user for their macOS password three times: the first two attempts deliberately shake and reject the entry, while the third accepts it. This design builds false trust and ensures the victim enters their real password.
Deep Enumeration and Persistence
Stage two deploys a profiler binary that enumerates the machine's hostname, UUID, CPU details, OS version, running processes, and browser extensions across Brave, Chrome, Firefox, Safari, Opera, and Vivaldi. Researchers noted a coding bug in the profiler that creates an infinite loop, causing notable CPU spikes—an unintended signature that can reveal an active infection.
Stage three ensures persistence: the malware drops a renamed file called Onedrive into a hidden path under a folder labeled “Antivirus Service” and registers a LaunchAgent (com.onedrive.launcher.plist) so it runs automatically upon login.
Final Stealer: Exfiltrating Keychain and Crypto Wallets
The final stage is a stealer binary named macrasv2 that collects browser extension data, SQLite credential databases, and macOS Keychain items—including crypto wallet passwords and private key hints. All stolen data is compressed into a zip archive and exfiltrated via the Telegram Bot API. The Quetzal team discovered that the attackers exposed their Telegram bot token inside the binary, a major operational security failure that allows defenders to monitor or even disrupt the command channel.
Attribution, Wider Use, and Defense
The Quetzal team published SHA-256 hashes for all major components along with network indicators pointing to IP addresses 172.86.113.102 and 144.172.114.220. Security researchers observed that the toolkit is also being used by groups beyond Lazarus, suggesting it has been shared or sold within the threat actor ecosystem. Lazarus, previously known for macOS tools like Applejeus and Rustbucket, now lowers the technical barrier for macOS compromises with Mach-O Man.
Security teams at crypto and fintech firms are advised to audit LaunchAgent directories, monitor for Onedrive processes running from unusual file paths, and block outbound Telegram Bot API traffic where not operationally required. Users should never paste Terminal commands copied from web pages or unsolicited meeting links, and treat all urgent, unsolicited meeting invites as potential entry points until verified through a separate communication channel.

