• North Korea’s Lazarus Group deployed Mach-O Man malware targeting macOS users in crypto and fintech roles in April 2026.
• Bitso’s Quetzal Team confirmed the Go-compiled kit enables credential theft, Keychain access, and data exfiltration via four stages.
• Security researchers urged firms on April 22, 2026, to block Terminal-based ClickFix lures and audit LaunchAgents for Onedrive masquerading files.

Security researchers at Bitso’s Quetzal Team, working alongside the ANY.RUN sandbox platform, publicly disclosed the kit on April 21, 2026, after analyzing a campaign they named “North Korea’s Safari.” The team connected the kit to Lazarus’s recent large-scale crypto thefts, including attacks on KelpDAO and Drift, citing the group’s consistent targeting of high-value macOS users in Web3 and fintech roles.

Mach-O Man is written in Go and compiled as Mach-O binaries, making it native to both Intel and Apple Silicon machines. The kit runs in four distinct stages and is designed to harvest browser credentials, macOS Keychain entries, and crypto account access before deleting traces of itself.

The infection begins with social engineering, not a software exploit. Attackers compromise or impersonate Telegram accounts belonging to colleagues in Web3 and crypto circles. The target receives an urgent meeting invite for Zoom, Microsoft Teams, or Google Meet that links to a convincing fake site, such as update-teams.live or livemicrosft.com.

The fake site displays a simulated connection error and instructs the user to copy and paste a Terminal command to resolve it. This technique, known as Clickfix and adapted here for macOS, leads the user to execute the initial stager file, teamsSDK.bin, via curl. Because the user runs the command manually, macOS Gatekeeper does not block it.

The stager downloads a fake app bundle, applies ad-hoc code signing to make it appear legitimate, and prompts the user for their macOS password. The window shakes on the first two attempts and accepts the credential on the third, a deliberate design choice to build false trust.

From there, the researcher’s report, and other accounts say a profiler binary enumerates the machine’s hostname, UUID, CPU, operating system details, running processes, and browser extensions across Brave, Chrome, Firefox, Safari, Opera, and Vivaldi. Researchers noted the profiler contains a coding bug that creates an infinite loop, causing noticeable CPU spikes that can expose an active infection.

A persistence module then drops a renamed file called Onedrive into a hidden path under a folder labeled “Antivirus Service” and registers a Launchagent called com.onedrive.launcher.plist so it runs automatically at login.

The final stage, a stealer binary labeled macrasv2, collects browser extension data, SQLite credential databases, and Keychain items, compresses them into a zip file, and exfiltrates the package through the Telegram Bot API. Researchers found the Telegram bot token exposed in the binary, which they described as a major operational security failure that could allow defenders to monitor or disrupt the channel.

The Quetzal Team published SHA-256 hashes for all major components, along with network indicators pointing to IP addresses 172.86.113.102 and 144.172.114.220. Security researchers noted the kit has been observed in use by groups beyond Lazarus, suggesting the tooling has been shared or sold within the threat actor ecosystem.

Lazarus, also tracked as Famous Chollima by threat intelligence firms, has been attributed to billions of dollars in cryptocurrency theft over the past several years. The group’s prior macOS tools included Applejeus and Rustbucket. Mach-O Man follows the same target profile while lowering the technical barrier for macOS compromises.

Security teams at crypto and fintech firms are advised to audit Launchagents directories, monitor for Onedrive processes running from unusual file paths, and block outbound Telegram Bot API traffic where it is not operationally required. Users should never paste Terminal commands copied from web pages or unsolicited meeting links.

Organizations running macOS fleets in Apple-heavy crypto environments should treat any urgent, unsolicited meeting link as a potential entry point until verified through a separate communication channel.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。