Lazarus Group is targeting macOS users with a new malware kit called “Mach-O Man”, using ClickFix-style social engineering to push victims into running commands that can lead to credential theft, Keychain exposure and access to corporate systems in fintech and crypto environments. The campaign describes a user-driven infection chain in which attackers rely less on software exploits and more on convincing victims to execute Terminal commands themselves.
FCRF Academy Launches Premier Anti-Money Laundering Certification Program
Fake Meetings Used as Initial Lure
The operation typically begins on Telegram, where attackers impersonate colleagues or business contacts and send urgent meeting invitations to executives, developers and decision-makers in fintech and crypto firms.
Victims are then redirected to phishing pages that imitate services such as Zoom, Microsoft Teams or Google Meet. These pages claim there is a connection issue that must be fixed manually. Instead of exploiting a software flaw, the site instructs the user to copy and paste a Terminal command, a technique identified in the report as ClickFix.
As the victim runs the command directly, many endpoint protections may fail to flag the activity. The command then downloads and launches the first Mach-O payload, allowing the attackers to begin the next stage of the intrusion.
Malware Kit Collects System and Browser Data
Once executed, the initial binary, often observed as teamsSDK.bin, acts as a stager that fetches fake macOS applications mimicking conferencing tools or generic system dialogs. These fake apps repeatedly prompt users for their password in broken English, pretending that earlier attempts were incorrect before silently moving to the next stage.
A second module, with variants such as DlYrHRTg.bin, profiles the system using sysctl and local tools. It collects host identifiers, operating system details, network configuration, process data and browser extension information from major browsers, including Chrome, Safari and Brave.
Researchers noted that parts of the kit appear poorly written, with some profilers entering infinite loops that continuously send the same data to command-and-control servers. The report says this behaviour can spike resource usage on infected Macs.
Stealer Targets Keychain, Cookies and Crypto Access
The final stealer stage, known as macrasv2, aggregates high-value data from the system before exfiltration. It targets browser-stored credentials and cookies, macOS Keychain entries and other files that could grant access to SaaS platforms, internal infrastructure and crypto wallets. The data is then compressed into an archive such as user_ext.zip.
The risk is significant for CISOs because one compromised macOS device can translate into broader access to internal systems or crypto assets, particularly in organisations where Macs are used by developers and leadership.
Subsequent components, including minst2.bin, establish persistence by dropping a disguised binary under an “Antivirus Service” folder and registering it as a LaunchAgent to run at every login. The malware also uses the macOS codesign utility to apply ad-hoc signatures, helping the apps appear legitimate enough to run under standard execution policies.
It is advised to focus on blocking ClickFix-style lures, monitoring suspicious Terminal usage, auditing LaunchAgents for fake “Antivirus” or OneDrive entries and flagging unusual outbound traffic to Telegram APIs from macOS hosts.
