Lazarus-linked macOS malware hits crypto and fintech firms

Security researchers have linked a new macOS malware campaign to the Lazarus Group, the North Korea-linked hacking operation behind some of the crypto industry’s biggest thefts.

Flagged on Tuesday, the new “Mach-O Man” malware kit is distributed via “ClickFix” social engineering schemes across traditional businesses and crypto companies, according to Mauro Eldritch, offensive security expert and founder of threat intelligence company BCA Ltd.

Victims are lured into a fake Zoom or Google Meet call where they are prompted to execute commands that download the malware in the background, allowing attackers to bypass traditional controls without detection to gain access to credentials and corporate systems, the security researcher said in a Tuesday report.

Researchers said the campaign can lead to account takeovers, unauthorized infrastructure access, financial losses and the exposure of critical data, underscoring how Lazarus continues to expand its targeting beyond crypto-native companies.

The Lazarus Group is the main suspect in some of the largest-ever cryptocurrency hacks, including the $1.4 billion hack of Bybit exchange in 2025, the industry’s largest so far.

Fake Mach-O Man Kit apps. Source: ANY.RUN

“Mach-o Man” kit seeks to implement hidden stealer malware

The final stage of the campaign is a stealer designed to extract browser extension data, stored browser credentials, cookies, macOS Keychain entries and other sensitive information from infected devices.

Final staging director for Stealer malware. Source: Any.run

After collection, the data is archived into a zip file and exfiltrated through Telegram to the attackers. Finally, the malware’s self-deletion script removes the entire kit using the system’s rm command, which bypasses user confirmation and permissions when removing files.