Security researchers have revealed a new macOS-focused malware campaign linked to North Korea’s Lazarus Group, a threat actor long associated with major cryptocurrency thefts. The toolkit, dubbed Mach-O Man, is being used against high-value targets in the crypto, Web3, and fintech sectors, with a particular focus on executives, developers, and employees who may have access to sensitive credentials or digital asset infrastructure.
The campaign was analyzed by Bitso’s Quetzal team in collaboration with sandbox platform ANY.RUN. According to their findings, the malware is not centered on exploiting a software vulnerability. Instead, it relies on carefully crafted social engineering, using fake meeting invitations and terminal-based deception to persuade victims to infect their own devices.
Fake Meeting Invites Serve as the Initial Trap
The attack begins when threat actors impersonate or compromise Telegram accounts belonging to colleagues or contacts in crypto and Web3 circles. Victims receive an urgent invitation to join a meeting on platforms such as Zoom, Microsoft Teams, or Google Meet. The message links to convincing phishing domains designed to resemble legitimate services, including examples such as update-teams.live and livemicrosft.com.
Once the victim lands on the fake page, they are shown a fabricated connection problem and instructed to copy and paste a command into Terminal to resolve the issue. Researchers identified this as a macOS adaptation of the ClickFix technique. Because the user manually runs the command, native protections such as Gatekeeper may not stop the execution path in time.
This command fetches an initial stager called teamsSDK.bin via curl. The stager then downloads a fake application bundle, applies an ad hoc code signature to make it appear more legitimate, and prompts the target to enter their macOS password. Researchers noted that the password prompt is designed to fail twice before accepting input on the third try, a deliberate behavioral trick intended to lower suspicion and create false trust.
A Four-Stage Malware Chain Built for Data Theft
Mach-O Man is written in Go and compiled as Mach-O binaries, allowing it to run natively on both Intel-based Macs and Apple Silicon systems. Investigators described the toolkit as a four-stage malware chain designed to harvest credentials, access macOS keychain entries, gather browser information, establish persistence, and ultimately exfiltrate sensitive data.
After initial execution, a profiling component collects detailed system intelligence, including hostname, UUID, CPU information, operating system details, active processes, and browser extension inventories. The malware specifically checks popular browsers such as Brave, Chrome, Firefox, Safari, Opera, and Vivaldi. This allows the attackers to assess the value of the target environment and identify installed wallet extensions or other relevant software.
Researchers also found that the profiler contains a coding flaw that can trigger an infinite loop, causing unusual CPU spikes. That bug may inadvertently help defenders identify infected systems by making active compromise more visible through abnormal resource consumption.
Persistence Through a Fake OneDrive Component
In its persistence stage, the malware plants a renamed file called Onedrive inside a hidden path under a folder labeled “Antivirus Service.” It also registers a LaunchAgent named com.onedrive.launcher.plist, enabling the malware to run automatically each time the user logs in.
This naming strategy is designed to blend malicious activity into a macOS environment by imitating a well-known software brand. For enterprise defenders, the implication is clear: not every process labeled “OneDrive” should be assumed legitimate, especially if it launches from an unusual or concealed file path.
Credential Theft, Keychain Access, and Telegram Exfiltration
The final stage is handled by a stealer component known as macrasv2. This module collects browser extension data, SQLite credential databases, and items stored in the macOS Keychain. It then compresses the stolen material into a zip archive and sends it out through the Telegram Bot API.
One of the more notable findings in the report is that the Telegram bot token was exposed directly inside the binary. The researchers described this as a serious operational security error. In practical terms, an exposed token could give defenders a chance to monitor, disrupt, or otherwise interfere with the exfiltration channel, depending on the surrounding circumstances.
The theft focus is especially concerning for the crypto sector because browser-stored credentials, extension data, and keychain entries can provide pathways to exchange accounts, custodial dashboards, internal administration portals, and cryptocurrency wallets. Even when direct wallet keys are not immediately stolen, the collected information may enable follow-on compromise, privilege escalation, or lateral movement inside a targeted organization.
Indicators Published as Researchers Warn of Broader Use
The Quetzal team published SHA-256 hashes for the malware’s major components and shared network indicators tied to the campaign, including the IP addresses 172.86.113.102 and 144.172.114.220. Security researchers added that the toolkit has also been observed in the hands of actors beyond Lazarus, suggesting it may have been shared, reused, or sold within the broader cybercriminal ecosystem.
That possibility raises the stakes for defenders. If a previously Lazarus-associated toolset is no longer exclusive to one group, attribution becomes harder and the number of potential operators increases. For crypto firms already under sustained pressure from social engineering and wallet-targeted attacks, this means the operational risk may extend beyond one known adversary.
Lazarus Continues a Pattern of macOS Targeting
Lazarus, also referred to by some threat intelligence firms as Famous Chollima, has been linked to cryptocurrency thefts worth billions of dollars over the years. The group has a documented history of deploying macOS malware families, including Applejeus and Rustbucket. Mach-O Man appears to continue that strategy while lowering the technical barrier for compromising Apple systems through modular design and user-driven execution.
The campaign also reinforces a broader trend in crypto-focused intrusions: attackers increasingly favor realistic business workflows over exploit-heavy tradecraft. A fake meeting invite, a spoofed collaboration tool, and a persuasive troubleshooting prompt can be enough to bypass cautious behavior if the target is under time pressure and believes the message comes from a trusted industry contact.
Defensive Measures for Crypto and Fintech Teams
Researchers urged security teams at cryptocurrency and fintech firms to audit LaunchAgents directories, monitor for suspicious OneDrive-labeled processes running from unexpected paths, and block outbound Telegram Bot API traffic where it is not operationally required. Because the malware depends heavily on user interaction, staff awareness and verification workflows remain critical.
Organizations with large macOS fleets should treat any unsolicited or urgent meeting invitation as a potential intrusion attempt until it is confirmed through an independent communication channel. Employees should be trained never to paste Terminal commands from websites or unknown meeting pages, regardless of how convincing the troubleshooting instructions appear.
For the crypto industry, where access credentials can lead directly to digital asset losses, this campaign is another reminder that endpoint security and social engineering defense are inseparable. In the case of Mach-O Man, the attackers do not need to break into the front door if they can persuade the target to open it themselves.

