Lazarus Deploys ‘Mach-O Man’ Malware in Latest Crypto and Fintech macOS Attack

common.time_ago.hour

Newsroom

How did the North Korean Lazarus group trick crypto and fintech employees into installing malware on their Macs?

What kind of sensitive information did the Lazarus malware automatically steal from Mac computers?

Why couldn't the victims notice they were hacked, and how did Lazarus cover their tracks so effectively?

Lazarus Deploys ‘Mach-O Man’ Malware in Latest Crypto and Fintech macOS Attack — Image source: Unblock Media

Security experts on April 22, 2026, linked the new “Mach-O Man” macOS malware to North Korea’s Lazarus Group, specifically targeting employees at crypto and fintech companies.
Attackers used advanced AI-driven social engineering, including fake Zoom and Google Meet invites, to deliver malware that steals credentials and bypasses Apple’s defenses.

On April 22, 2026, Cointelegraph reported that cybersecurity experts had identified “Mach-O Man,” a novel macOS malware kit attributed to North Korea’s Lazarus Group. The campaign directly targeted employees of fintech and cryptocurrency firms through convincingly engineered lures such as counterfeit Zoom and Google Meet invitations. Attackers also used tailored “ClickFix” prompts, pushing victims to manually download and install the malicious payload.

Once executed, the malware functioned as an advanced stealer. It extracted browser credentials, cookies, and Keychain data from compromised macOS devices. After collecting the information, the malware archived the stolen data and transmitted it to attackers via Telegram. To evade detection and hinder analysis, it then self-deleted using a script capable of bypassing standard user confirmation requirements.

Researchers underscored that this Lazarus campaign marks a strategic shift, broadening beyond the group’s usual crypto-focused operations and leveraging AI for increasingly sophisticated social engineering. The campaign’s methods mirrored tactics seen in the group’s previous high-profile attacks, including the $1.4 billion Bybit exchange hack in 2025 and the Zerion wallet breach reported earlier in April 2026.

This incident highlights a growing trend in cyber threats, with Lazarus employing both AI and targeted social engineering to craft convincing communications that are difficult for victims to identify as malicious. The group continues to exploit blockchain-related attack surfaces and deploys malware as Mach-O binaries, enabling it to circumvent Apple’s security measures. Researchers noted that Lazarus’s focus now extends to a wider range of organizations, including broader fintech and technology infrastructure targets.