Lazarus-Linked Mach-O Man Malware Targets macOS Keychain and Crypto Wallet Access

Lazarus-Linked Mach-O Man Malware Targets macOS Keychain and Crypto Wallet Access

N
News Editor 01
2026-07-08 15:02:17
Security researchers say Lazarus has used a modular macOS malware kit called Mach-O Man to target crypto and fintech professionals through fake meeting invites, stealing Keychain data, browser credentials, and wallet access.
LazarusmacOS malwareKeychaincrypto walletscybersecurity

Security researchers have uncovered a modular macOS malware framework dubbed Mach-O Man, which they linked to North Korea’s Lazarus Group and a campaign aimed at cryptocurrency, Web3, and fintech professionals. The operation relied on fake meeting invitations, spoofed collaboration workflows, and user-executed terminal commands to compromise Apple devices and extract high-value credentials, including browser logins, Keychain entries, and access tied to crypto accounts.

A social-engineering campaign aimed at high-value macOS users

The campaign was publicly detailed by Bitso’s Quetzal Team in collaboration with the ANY.RUN sandbox platform. Researchers said the operation fit Lazarus’s familiar targeting pattern: executives, developers, and employees with access to sensitive systems or digital assets. Rather than exploiting a software vulnerability, the attackers reportedly leaned on social engineering, first by compromising or impersonating Telegram contacts within crypto and Web3 circles, then by sending urgent invitations for Zoom, Microsoft Teams, or Google Meet sessions.

Victims who clicked the embedded links were redirected to convincing phishing sites designed to imitate legitimate conferencing platforms. Examples cited in the report included domains such as update-teams.live and livemicrosft.com. Once on the fake page, users were shown a connection error message and instructed to copy and paste a command into Terminal to fix the issue. This tactic, described as a macOS adaptation of ClickFix, turned the victim into the execution mechanism.

That distinction mattered because the initial payload was launched manually by the user. According to the researchers, this helped the malware avoid being immediately stopped by macOS Gatekeeper, which is more effective against traditional app delivery and untrusted package installation than against commands a user chooses to run directly in Terminal.

Mach-O Man is built for native macOS execution

The malware kit was reportedly written in Go and compiled as native Mach-O binaries, allowing it to run on both Intel-based Macs and Apple Silicon systems. Researchers described the framework as a four-stage operation, with each component handling a different part of reconnaissance, persistence, credential theft, and data exfiltration.

In the first stage, the initial stager downloaded a fake application bundle and applied ad-hoc code signing to improve its appearance of legitimacy. It then prompted the user for their macOS password. In a detail researchers highlighted as deliberate psychological design, the prompt rejected the first two password attempts and accepted the third, creating the impression of an authentic system dialog rather than a crude phishing window.

After this setup phase, a profiling module surveyed the infected machine. The report said it gathered the hostname, UUID, CPU details, operating system information, running processes, and browser extension data from a broad list of browsers, including Brave, Chrome, Firefox, Safari, Opera, and Vivaldi. That breadth suggests the operators were not looking only for general credentials, but also for extension-linked secrets and potentially wallet-related artifacts common in crypto workflows.

Persistence, profiling, and a stealer focused on credentials

Researchers said the profiling component also contained a coding flaw that could trigger an infinite loop and cause visible CPU spikes. While that bug may reduce operational stealth, it also offers defenders a possible detection clue when unusual resource consumption appears alongside suspicious process activity on macOS endpoints.

To maintain persistence, the malware reportedly dropped a renamed file called Onedrive into a hidden directory nested under a folder labeled “Antivirus Service.” It then created a LaunchAgent entry named com.onedrive.launcher.plist, allowing the payload to run automatically at user login. This kind of masquerading is designed to blend into the background of routine enterprise systems, where cloud-sync and security-related process names may attract less scrutiny.

The final payload, identified as macrasv2, functioned as the stealer component. It was described as collecting browser extension information, SQLite-based credential databases, and macOS Keychain items before packaging the data into a zip archive for outbound transmission. For organizations handling digital assets, the theft of Keychain contents and browser-based credentials can be especially dangerous because those systems often store session data, secrets, and pathways into wallets, custodial dashboards, development tools, and internal admin environments.

Data exfiltration through Telegram and exposed infrastructure

According to the analysis, the malware exfiltrated stolen data through the Telegram Bot API. Researchers also said they found the bot token exposed inside the binary itself, calling it a major operational security error. In practice, such exposure could create opportunities for defenders to monitor, sinkhole, or otherwise disrupt part of the attackers’ communications workflow, depending on circumstances and response timing.

The Quetzal Team also published SHA-256 hashes for key malware components and shared network indicators tied to the campaign, including the IP addresses 172.86.113.102 and 144.172.114.220. Those indicators can help security teams hunt for historical compromise, enrich endpoint detection rules, and review whether internal systems contacted known infrastructure associated with the campaign.

Notably, the researchers said the toolkit may have been observed beyond Lazarus itself, raising the possibility that the malware was shared, reused, or sold among multiple threat actors. If accurate, that would make the threat more significant than a single tightly controlled espionage or theft operation, because it would suggest broader adoption within the criminal or state-linked ecosystem targeting digital asset firms.

Lazarus continues its long-running focus on crypto theft

Lazarus, also tracked by some intelligence vendors as Famous Chollima, has been associated with billions of dollars in cryptocurrency theft over recent years. The group has repeatedly targeted exchanges, infrastructure providers, protocol teams, and employees with privileged access to funds or signing environments. Researchers noted that Mach-O Man follows the same strategic pattern seen in earlier macOS-focused Lazarus tools such as Applejeus and Rustbucket, but with a delivery chain that lowers the technical barrier to compromise by relying on persuasion rather than exploiting a specific macOS flaw.

That approach is particularly relevant in crypto and fintech environments, where distributed teams often rely on Telegram, ad hoc video calls, and cross-company collaboration. An urgent meeting request from a known contact can appear routine, especially during volatile market conditions, incident response situations, fundraising activity, or protocol coordination. Attackers appear to be exploiting exactly that behavioral reality.

What security teams should watch for

Researchers urged firms to review LaunchAgents directories, investigate suspicious Onedrive processes running from unusual file paths, and restrict or monitor outbound access to the Telegram Bot API where it is not business-critical. They also warned users never to paste Terminal commands copied from a website or from unsolicited meeting instructions, even if the page appears to belong to a trusted conferencing service.

For organizations with Apple-heavy endpoint fleets, especially those operating in crypto, Web3, and fintech, the broader lesson is procedural as much as technical. Any unexpected or urgent meeting link should be independently verified through a separate communication channel before action is taken. Because the attack chain begins with user trust rather than a software exploit, basic verification discipline may be the most effective first line of defense.

As the report makes clear, Mach-O Man is not just another generic infostealer. It is a targeted intrusion toolkit designed around how crypto professionals actually work, where browser sessions, Keychain secrets, wallet-adjacent tools, and collaboration platforms intersect. That makes the campaign a timely warning for firms that continue to treat macOS as a lower-risk environment by default.

This article was originally published by Bit.Fan. For more cryptocurrency news and market insights, visit www.bit.fan.
400

Disclaimer:

The market information, project data, and third-party content displayed on this platform are for industry information sharing only and do not constitute any form of investment advice or return commitment.

Cryptocurrency trading carries high risks. Users should fully assess their risk tolerance and make independent decisions. All profits, losses, and legal responsibilities are borne by the users themselves.