Lazarus Group Deploys Mach-O Man Malware Targeting macOS Crypto Wallets via Fake Meeting Invites

Lazarus Group Deploys Mach-O Man Malware Targeting macOS Crypto Wallets via Fake Meeting Invites

N
News Editor 01
2026-07-08 14:38:13
North Korean Lazarus group has deployed a modular macOS malware called Mach-O Man, using fake meeting invites to steal credentials, keychain data, and cryptocurrency wallets from executives and developers in fintech.
LazarusmalwaremacOScryptocurrency securitykeychain theft

Security researchers have publicly disclosed a new modular macOS malware toolkit named Mach-O Man, attributed to the North Korean Lazarus group. The campaign, dubbed "North Korean Safari" by analysts, specifically targets high-value executives and developers in the cryptocurrency and fintech sectors. The malware uses fake meeting invitations to trick victims into running Terminal commands, ultimately stealing browser credentials, keychain data, and cryptocurrency wallet access.

Four-Stage Attack Chain

Discovered by Bitso's Quetzal security team in collaboration with the ANY.RUN sandbox platform on April 21, 2026, Mach-O Man is written in Go and compiled as Mach-O binaries compatible with both Intel and Apple Silicon. The attack unfolds in four distinct stages:

Stage 1 – Social Engineering: Attackers compromise or impersonate Telegram accounts of colleagues within Web3 and crypto circles. The victim receives an urgent meeting invite for Zoom, Microsoft Teams, or Google Meet, linking to a convincing fake site such as update-teams.live or livemicrosft.com. The site displays a simulated connection error and instructs the user to copy and paste a Terminal command to fix it—a macOS-adapted ClickFix technique. This command downloads the initial stager file teamsSDK.bin via curl. Because the user manually executes it, macOS Gatekeeper does not block it.

Stage 2 – Credential Harvesting: The stager downloads a fake application bundle, applies an ad-hoc code signature to appear legitimate, and prompts the user for their macOS password. Notably, the password window shakes on the first two attempts and accepts the credential on the third—a deliberate design to build false trust. Once the password is obtained, the malware proceeds to the next stage.

Stage 3 – Profiling: A profiling binary enumerates the machine's hostname, UUID, CPU type, OS details, running processes, and browser extensions for Brave, Chrome, Firefox, Safari, Opera, and Vivaldi. The researchers noted a coding error in this module that creates an infinite loop, causing noticeable CPU spikes that can betray an active infection.

Stage 4 – Persistence and Exfiltration: A persistence module places a renamed file called Onedrive inside a hidden folder named "Antivirus Service" and registers a LaunchAgent (com.onedrive.launcher.plist) to run automatically at login. Finally, the data theft binary macrasv2 collects browser extension data, SQLite credential databases, and keychain items, compresses them into a ZIP archive, and exfiltrates them via the Telegram Bot API.

Critical Operational Security Failure

Researchers discovered that the Telegram bot token was exposed in the binary, a grave operational security error that could allow defenders to monitor or disrupt the exfiltration channel. The Quetzal team published SHA-256 hashes of all major components and network indicators pointing to IP addresses 172.86.113.102 and 144.172.114.220. They also reported that groups outside Lazarus have been observed using the toolkit, suggesting it has been shared or sold within the malicious ecosystem.

Broader Context and Defensive Measures

Lazarus, also known as Famous Chollima, has been responsible for billions of dollars in cryptocurrency thefts over the past years. Previous macOS tools include Applejeus and Rustbucket. Mach-O Man follows the same high-value targeting profile while lowering the technical barrier to compromise macOS systems. Security teams at cryptocurrency and fintech companies are urged to audit LaunchAgents directories, monitor for OneDrive processes running from unusual file paths, block outbound Telegram Bot API traffic unless operationally required, and never paste Terminal commands copied from web pages or unsolicited meeting links. Organizations with significant Apple macOS fleets should treat any unsolicited urgent meeting link as a potential entry point until verified through an independent communication channel.

This article was originally published by Bit.Fan. For more cryptocurrency news and market insights, visit www.bit.fan.
400

Disclaimer:

The market information, project data, and third-party content displayed on this platform are for industry information sharing only and do not constitute any form of investment advice or return commitment.

Cryptocurrency trading carries high risks. Users should fully assess their risk tolerance and make independent decisions. All profits, losses, and legal responsibilities are borne by the users themselves.