TL;DR
- Researchers linked a macOS malware campaign to Lazarus Group after identifying the “Mach-O Man” kit targeting crypto users through fake meeting invites.
- Victims are tricked into running commands during sham Zoom or Google Meet calls, enabling credential theft, system access, and data exfiltration through Telegram.
- The campaign follows other North Korea-linked crypto attacks, including the $1.4 billion Bybit hack and a recent $100,000 Zerion theft this month.
North Korea’s Lazarus Group is being tied to a cyber campaign against the crypto industry, but this time the doorway is not a smart contract or exchange back end. It is a Mac on an executive’s desk. What makes this campaign unsettling is how ordinary the setup appears at first glance: a fake business meeting, a familiar video-call prompt, and then a compromise of credentials and company access. Security researchers linked the new macOS malware operation to Lazarus after identifying a kit known as “Mach-O Man,” a toolset designed to move from social engineering into covert system access.
The attack flow is alarmingly simple. Victims are lured into sham Zoom or Google Meet sessions and then persuaded to execute commands themselves, allowing the malware to arrive without the friction of a malicious download. Once launched, the kit works in the background, opening a path to account takeovers, unauthorized infrastructure access, financial losses, and exposure of sensitive company data. The campaign was flagged Tuesday and has been described as targeting traditional businesses and crypto-linked firms, underlining how Lazarus is widening its scope beyond crypto-native organizations.
A quieter malware chain is doing the heavy lifting
The final stage reveals why the campaign matters so much. The malware is built as a hidden stealer, pulling browser extension data, saved browser credentials, cookies, macOS Keychain entries, and other sensitive information from infected devices. After collecting the data, the kit compresses it into a zip archive and exfiltrates it through Telegram to the attackers. It then runs a self-deletion script using the rm command, wiping the kit from the device in a way that avoids user confirmation and helps erase signs of compromise.
That combination of deception, credential theft, and cleanup makes the operation feel less like crude phishing and more like a mature espionage workflow. For the crypto sector, the message is hard to miss: attackers no longer need to breach code first when they can breach the people operating the systems. Lazarus Group has been tied to some of the biggest thefts in crypto, including the $1.4 billion Bybit hack in 2025. Earlier this month, North Korean hackers also used AI-enabled social engineering to steal about $100,000 from crypto wallet firm Zerion after gaining access to sessions, credentials, and private keys recently.
