Lazarus Group has discovered a new method of infiltrating victims’ systems through ordinary work calls, according to cybersecurity expert Mauro Eldritch.
🇰🇵 #Lazarus is back with a new macOS malware kit.
👷 Made up of multiple Mach-O binaries, we named it “Mach-O Man”. It is being distributed via #ClickFix in the crypto ecosystem to steal secrets.
▶️ Read my full article for ANY RUN below.#DPRK #Malware https://t.co/9yDesUCeMD pic.twitter.com/XD5w4kn0gh
— Mauro Eldritch 🏴☠️ (@MauroEldritch) April 21, 2026
North Korean hackers have launched a campaign using the modular macOS arsenal Mach-O Man, created by another North Korean hacker group, Famous Chollima.
These tools consist of native Mach-O binary files, adapted for the Apple ecosystem, where many crypto and fintech companies operate.
Mach-O Man employs the ClickFix delivery method—a social engineering technique where the victim is asked to enter a command in the terminal to “fix a connection issue.”
Eldritch explained that hackers send users an “urgent” meeting invitation on Zoom, Microsoft Teams, or Google Meet via Telegram.
The link leads to a phishing site instructing the user to copy and paste a simple command into the Mac terminal. By doing so, the victim grants direct access to corporate systems, SaaS platforms, and financial resources.
Often, the breach is discovered too late to prevent damage.
Researcher Vladimir S. noted that there are several variations of the attack described by Eldritch.
I also once seen a slightly different variation of the attack where the attackers hijacked the DeFi project’s domain and replaced the website with a fake message from Cloudflare asking users to enter a command to grant access. A lot of people fell for it.
I also saw an attack in…
— Vladimir S. | Officer’s Notes (@officer_secret) April 21, 2026
There have been instances where Lazarus hackers hijacked DeFi project domains using the new arsenal, replacing their sites with a fake Cloudflare message requesting a command to grant access.
“What makes Lazarus particularly dangerous right now is the level of their activity. Kelp, Drift and now the new macOS arsenal—all within one month. These are not random hacks but a state financial operation working at a scale and pace typical of institutions,” noted CertiK senior blockchain security researcher Natalie Newson.
In April, an Ethereum Foundation fellow identified 100 North Korean IT agents in Web3 companies.
Previously, a network of North Korean specialists in the crypto industry was also discovered by an on-chain detective.