Oh, darling, North Korea’s Lazarus Group is at it again, serving up a fresh batch of chaos with their new macOS malware kit, Mach-O Man. Because nothing says “we’re serious about crypto theft” like naming your malware after a wrestling move. Fake meeting invites? More like fake apologies for existing. Fintech execs and developers, beware: your credentials and crypto wallets are on the menu.
Key Takeaways (because who has time for subtlety?):
- Lazarus Group unleashed Mach-O Man in April 2026, targeting macOS users in crypto and fintech. Because why hack one industry when you can ruin two?
- Bitso’s Quetzal Team (yes, that’s a real name) confirmed this Go-compiled kit is a four-stage party of credential theft, Keychain access, and data exfiltration. Spoiler: you’re not invited.
- Security researchers are begging firms to block Terminal-based ClickFix lures and audit LaunchAgents for Onedrive imposters. Because apparently, cybersecurity is just adult hide-and-seek.
North Korea’s Malware Makeover: Mach-O Man Targets U.S. Crypto and Web3 Firms
The geniuses at Bitso’s Quetzal Team (still laughing at that name) teamed up with ANY.RUN to expose this hot mess on April 21, 2026. They dubbed it “North Korea’s Safari,” which sounds like a terrible vacation package. This malware is linked to Lazarus’s recent crypto heists, including KelpDAO and Drift. Because why rob one bank when you can rob the entire blockchain?
Mach-O Man is written in Go (very trendy) and compiled as Mach-O binaries, making it compatible with both Intel and Apple Silicon. It’s a four-stage extravaganza designed to steal your browser credentials, macOS Keychain entries, and crypto access before vanishing like a bad Tinder date.
The fun starts with social engineering-no software exploits needed. Attackers impersonate Telegram accounts of your colleagues (because who doesn’t trust a random meeting invite?). You get an “urgent” Zoom, Microsoft Teams, or Google Meet link that leads to a fake site like update-teams.live. Spoiler: it’s not updating anything but your stress levels.
The fake site throws a “connection error” (classic) and asks you to copy-paste a Terminal command. This Clickfix trick bypasses macOS Gatekeeper because, apparently, users love running random commands. The stager file, teamsSDK.bin, downloads a fake app bundle, signs it like it’s legit, and asks for your macOS password. It even shakes the window on the first two attempts-a delightful touch of psychological manipulation.
Next, a profiler binary snoops on your machine’s hostname, UUID, CPU, OS details, running processes, and browser extensions. Oh, and it has a coding bug that causes infinite loops and CPU spikes. Because even malware can’t resist a little drama.
A persistence module drops a file called Onedrive into a hidden “Antivirus Service” folder (ironic) and registers a LaunchAgent to run at login. The finale? A stealer binary collects your data, zips it up, and sends it via the Telegram Bot API. Bonus: the bot token was left exposed. Oopsie.
The Quetzal Team dropped SHA-256 hashes and network indicators (IP addresses: 172.86.113.102 and 144.172.114.220). Turns out, Mach-O Man isn’t just Lazarus’s toy-other threat actors are borrowing it. Sharing is caring, I guess.
Lazarus (aka Famous Chollima) has stolen billions in cryptocurrency over the years. Their previous hits include Applejeus and Rustbucket. Mach-O Man is just their latest masterpiece, making macOS compromises easier than ordering takeout.
Security teams, listen up: audit LaunchAgents, watch for Onedrive in weird places, and block Telegram Bot API traffic unless it’s absolutely necessary. And for the love of all that’s holy, stop pasting Terminal commands from random websites. Treat unsolicited meeting links like a red flag-because they are.
macOS fleets in crypto environments, take note: if it’s urgent and unsolicited, it’s probably malicious. Verify everything. Trust no one. Not even your own Wi-Fi.
Read More
- Brent Oil Forecast
- Silver Rate Forecast
- Gold Rate Forecast
- Trump’s Oil Fantasy: Seize, Profit, and Declare Victory in the Straits of Hormuz
- ECB Backs EU Crypto Supervision: Binance and Coinbase Face ESMA Oversight
- You Won’t Believe 35% of Crypto Users Lost Their Wealth to Simple Human Error!
- BTC PREDICTION. BTC cryptocurrency
- USD TRY PREDICTION
- Solana\’s Slump: Will Traders Wait Forever for a Catalyst?”‘, ‘reasoning_content’: None, ‘name’: None, ‘tool_calls’: None}, ‘finish_reason’: ‘stop’, ‘logprobs’: None}], ‘usage’: {‘prompt_tokens’: 733, ‘total_tokens’: 750, ‘completion_tokens’: 17, ‘estimate
- XRP’s ETF Waltz: $1.2B Inflows, Yet Price Does the Limbo at $1.30
2026-04-22 18:00