Loading...

Lazarus Mach-O Man macOS Kit Targets Crypto Execs

Lazarus Mach-O Man macOS Kit Targets Crypto Execs

Lazarus Mach-O Man macOS Kit Targets Crypto Execs

Lazarus Group deploys Mach-O Man macOS malware against crypto executives. CertiK warns of ClickFix attacks after $577M drained from DeFi.

An open MacBook on a dark desk with scattered metallic crypto coins and a glowing phone notification.

Don't scroll Twitter for crypto news
One email. Five minutes. Everything that matters today

Lazarus Launches Mach-O Man macOS Kit After $577M in Hacks, Apr 2026

North Korea's Lazarus Group is actively distributing a new macOS malware kit called Mach-O Man that targets crypto and fintech executives through fake video call invitations, CertiK warned on April 22, 2026. The toolkit arrived weeks after Lazarus drained a combined $577 million from Drift Protocol and KelpDAO in two separate DeFi exploits.

Lazarus just added a new macOS weapon to its arsenal. Web Snack tracks the threats crypto can't afford to ignore - subscribe to stay ahead.

Context

Lazarus has spent years refining its approach to stealing crypto. Previous macOS campaigns - AppleJeus, Rustbucket - used fake trading apps to compromise exchange employees. By 2025, the group had stolen roughly $2 billion in crypto assets for the year alone, according to Chainalysis, bringing its cumulative total to an estimated $6.7 billion since 2017.

April 2026 brought two back-to-back DeFi disasters. On April 1, Lazarus drained $285 million from Solana-based Drift Protocol using a six-month social engineering operation that tricked Security Council members into pre-signing malicious transactions. Then on April 18, the group exploited KelpDAO's cross-chain bridge for $292 million by poisoning the RPC nodes that LayerZero's verifier relied on.

Against that backdrop, Bitso's Quetzal Team and threat intelligence platform ANY.RUN publicly disclosed Mach-O Man on April 21 - a new macOS-native toolkit already in active distribution.

Details

Mach-O Man is written in Go and compiled as native Mach-O binaries that run on both Intel and Apple Silicon machines. The attack begins with a compromised Telegram account sending a target an urgent meeting invite for Zoom, Teams, or Google Meet. The link leads to a convincing fake site that displays a connection error and asks the user to paste a "fix" command into their Mac's Terminal.

From there, the malware deploys in four stages. A stager downloads a fake app mimicking the meeting platform. A profiler binary collects the machine's hostname, UUID, running processes, and browser extensions across Brave, Chrome, Firefox, Safari, Opera, and Vivaldi. A persistence module disguises itself as OneDrive under a folder labeled "Antivirus Service." The final stage - a stealer called macrasv2 - harvests browser credentials, SQLite databases, and macOS Keychain items, compresses them into a zip, and exfiltrates the package through the Telegram Bot API.

"What makes Lazarus especially dangerous right now is their activity level. KelpDAO, Drift, and now a new macOS malware kit, all within the same month. This isn't random hacking; it's a state-directed financial operation running at a scale and speed typical of institutions." - Natalie Newson, Senior Blockchain Security Researcher at CertiK

Impact

A single compromised Mac can hand attackers access to hot wallets, signing keys, cloud dashboards, and production environments. Because the victim runs the command themselves, the malware bypasses most endpoint detection tools. After exfiltration, Mach-O Man erases itself - meaning targets often have no idea they've been hit.

The broader DeFi market is already reeling. Wu Blockchain reported that total DeFi losses topped $600 million over the past three weeks, while total value locked across the sector dropped 25% to $82.4 billion. The KelpDAO breach alone triggered over $10 billion in withdrawals from lending protocol Aave, which froze rsETH deposits and borrowing.

Researchers did find two operational security failures in the toolkit. The profiler contains a coding bug that creates an infinite loop, causing noticeable CPU spikes on infected machines. And the Telegram bot token used for exfiltration was exposed in the binary, allowing defenders to identify and spam the attacker's command-and-control infrastructure.

Next Steps

Security teams at crypto and fintech firms should audit LaunchAgents directories for files masquerading as OneDrive, monitor for suspicious Go-based Mach-O binaries, and block outbound Telegram Bot API traffic where not operationally required. Restricting Terminal access for non-technical employees is another immediate step.

The Arbitrum Security Council has already frozen $71 million in ETH tied to the KelpDAO exploit, recovering roughly 29% of the stolen ether. The remaining funds are being laundered through Thorchain, Chainflip, and Umbra Cash in small batches, making full recovery unlikely without further cross-chain coordination.

LayerZero announced it will no longer sign messages for any project using a single-verifier configuration, forcing a protocol-wide migration. Drift Protocol remains frozen with all functions suspended. Both incidents remain under active investigation, with formal Lazarus attribution still pending from U.S. authorities.

$577 million in three weeks, and now a self-erasing macOS toolkit. Subscribe to Web Snack so the next Lazarus move doesn't catch you off guard.

P.S. This article is for informational purposes only and does not constitute investment advice. Always conduct your own research and make independent decisions.

Like this story? There's more tomorrow

Join Web Snack – no fluff, just value