Security researchers have linked a new macOS malware campaign to the North Korean Lazarus Group. The “Mach-O Man” kit uses fake video calls to steal credentials and data from crypto and traditional businesses. The group is suspected in major hacks, including the $1.4 billion theft from Bybit in 2025.
Security researchers have linked a new macOS malware campaign to the Lazarus Group, the North Korea-linked hacking operation. According to a report by Mauro Eldritch, this “Mach-O Man” kit is distributed via “ClickFix” social engineering schemes.
Victims are lured into fake Zoom or Google Meet calls. They are prompted to execute commands that download the malware in the background to bypass traditional security controls.
The campaign can lead to account takeovers, unauthorized infrastructure access, and financial losses. It underscores how Lazarus continues to expand its targeting beyond crypto-native companies.
The final stage is a stealer designed to extract browser data, stored credentials, and macOS Keychain entries. After collection, the data is archived and exfiltrated through Telegram to the attackers.
The Lazarus Group is the main suspect in some of the largest-ever cryptocurrency hacks. This includes the industry’s largest hack so far, the $1.4 billion theft from the Bybit exchange in 2025.
Earlier in April, North Korean hackers used AI-enabled social engineering to steal about $100,000 from crypto wallet Zerion. This followed gaining access to team members’ logged-in sessions and the company’s private keys.
