North Korea's state-backed Lazarus Group has launched a new macOS malware campaign, dubbed "Mach-O Man," specifically targeting executives in the cryptocurrency and fintech sectors. According to blockchain security firm CertiK, the operation uses sophisticated social engineering techniques to hijack victims and has been linked to recent DeFi exploits totaling over $500 million.
The campaign employs the "ClickFix" technique, where victims receive fake online meeting invitations. These lures trick targets into pasting malicious terminal commands into their macOS Terminal under the guise of repair or verification procedures. The "Mach-O Man" toolkit is designed to profile the host system, establish persistence, and exfiltrate sensitive credentials and browser data. Notably, the malware auto-deletes after execution to hinder forensic analysis.
Threat intelligence firm SOC Prime attributes the framework to Lazarus's Famous Chollima unit, noting distribution through compromised Telegram accounts and fake meeting invites aimed at high-value organizations in crypto and finance. This aligns with previous campaigns described by Google Cloud's Mandiant, which combined ClickFix lures with AI-assisted video deepfakes and fake Zoom calls to push targets into executing obfuscated commands.
CertiK researcher Natalie Newson directly linked this latest malware wave to a broader Lazarus offensive that has siphoned more than $500 million from DeFi platforms Drift and KelpDAO in a span of just over two weeks. In these incidents, Lazarus allegedly used social engineering against a trading firm alongside a sophisticated cross-chain exploit. This allowed attackers to mint approximately 116,500 rsETH (a liquid staking token) and drain about $292 million in value.
LayerZero, the bridge infrastructure provider used by KelpDAO, identified North Korea's Lazarus Group as the "likely actor" behind the rsETH exploit. The firm cited a single-point-of-failure verifier design as the vulnerability that enabled the forged cross-chain message.
The threat from Lazarus is persistent and significant. SecurityWeek reported that the group stole roughly $2 billion in virtual assets in 2023 and 2024 through prior campaigns, many utilizing the ClickFix method. This activity contributes to a dire security landscape for DeFi, with research outlets calling recent months the worst on record for hacks. The market is now effectively pricing in the expectation of another $100 million-plus exploit this year, highlighting how state-linked attackers like Lazarus have become a systemic risk to the cryptocurrency ecosystem.
