{"id":96412,"date":"2026-04-22T16:58:08","date_gmt":"2026-04-22T13:58:08","guid":{"rendered":"https:\/\/u1f987.com\/en\/?p=96412"},"modified":"2026-04-22T17:00:21","modified_gmt":"2026-04-22T14:00:21","slug":"cybersecurity-experts-warn-of-new-wave-of-north-korean-hacker-attacks","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/cybersecurity-experts-warn-of-new-wave-of-north-korean-hacker-attacks\/","title":{"rendered":"Cybersecurity Experts Warn of New Wave of North Korean Hacker Attacks"},"content":{"rendered":"<p><a href=\"https:\/\/u1f987.com\/en\/news\/lazarus-group-what-we-know-about-the-outfit-suspected-of-the-bybit-hack\">Lazarus Group<\/a> has discovered a new method of infiltrating victims&#8217; systems through ordinary work calls, according to cybersecurity expert Mauro Eldritch.\u00a0<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">\ud83c\uddf0\ud83c\uddf5 <a href=\"https:\/\/twitter.com\/hashtag\/Lazarus?src=hash&#038;ref_src=twsrc%5Etfw\">#Lazarus<\/a> is back with a new macOS malware kit.<\/p>\n<p>\ud83d\udc77 Made up of multiple Mach-O binaries, we named it \u201cMach-O Man\u201d. It is being distributed via <a href=\"https:\/\/twitter.com\/hashtag\/ClickFix?src=hash&#038;ref_src=twsrc%5Etfw\">#ClickFix<\/a> in the crypto ecosystem to steal secrets.<\/p>\n<p>\u25b6\ufe0f Read my full article for ANY RUN below.<a href=\"https:\/\/twitter.com\/hashtag\/DPRK?src=hash&#038;ref_src=twsrc%5Etfw\">#DPRK<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Malware?src=hash&#038;ref_src=twsrc%5Etfw\">#Malware<\/a> <a href=\"https:\/\/t.co\/9yDesUCeMD\">https:\/\/t.co\/9yDesUCeMD<\/a> <a href=\"https:\/\/t.co\/XD5w4kn0gh\">pic.twitter.com\/XD5w4kn0gh<\/a><\/p>\n<p>\u2014 Mauro Eldritch \ud83c\udff4\u200d\u2620\ufe0f (@MauroEldritch) <a href=\"https:\/\/twitter.com\/MauroEldritch\/status\/2046575308703162787?ref_src=twsrc%5Etfw\">April 21, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>North Korean hackers have launched a campaign using the modular macOS arsenal Mach-O Man, created by another North Korean hacker group, <a href=\"https:\/\/u1f987.com\/en\/news\/north-korean-hackers-target-crypto-job-seekers-with-fake-interviews\">Famous Chollima<\/a>.\u00a0<\/p>\n<p>These tools consist of native Mach-O binary files, adapted for the Apple ecosystem, where many crypto and fintech companies operate.<\/p>\n<p>Mach-O Man employs the ClickFix delivery method\u2014a social engineering technique where the victim is asked to enter a command in the terminal to &#8220;fix a connection issue.&#8221;<\/p>\n<p>Eldritch explained that hackers send users an &#8220;urgent&#8221; meeting invitation on Zoom, Microsoft Teams, or Google Meet via Telegram.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/img-34847aea32f56ecc-2467511913570250.webp\" alt=\"image\" class=\"wp-image-278841\"\/><figcaption class=\"wp-element-caption\">Example of a message from hackers on Telegram. Source: <a href=\"https:\/\/any.run\/cybersecurity-blog\/lazarus-macos-malware-mach-o-man\/\">Any.run<\/a>.\u00a0<\/figcaption><\/figure>\n<p>The link leads to a phishing site instructing the user to copy and paste a simple command into the Mac terminal. By doing so, the victim grants direct access to corporate systems, SaaS platforms, and financial resources.\u00a0<\/p>\n<p>Often, the breach is discovered too late to prevent damage.\u00a0<\/p>\n<p>Researcher Vladimir S. noted that there are several variations of the attack described by Eldritch.\u00a0<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p lang=\"en\" dir=\"ltr\">I also once seen a slightly different variation of the attack where the attackers hijacked the DeFi project\u2019s domain and replaced the website with a fake message from Cloudflare asking users to enter a command to grant access. A lot of people fell for it.<\/p>\n<p>I also saw an attack in\u2026<\/p>\n<p>\u2014 Vladimir S. | Officer&#8217;s Notes (@officer_secret) <a href=\"https:\/\/twitter.com\/officer_secret\/status\/2046737329621020771?ref_src=twsrc%5Etfw\">April 21, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>There have been instances where Lazarus hackers hijacked DeFi project domains using the new arsenal, replacing their sites with a fake Cloudflare message requesting a command to grant access.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cWhat makes Lazarus particularly dangerous right now is the level of their activity. <\/em><a href=\"https:\/\/u1f987.com\/en\/news\/kelp-protocol-loses-293-million-following-cross-chain-bridge-attack\"><em>Kelp<\/em><\/a><em>, <\/em><a href=\"https:\/\/u1f987.com\/en\/news\/drift-protocol-on-solana-loses-280m\"><em>Drift<\/em><\/a><em> and now the new macOS arsenal\u2014all within one month. These are not random hacks but a state financial operation working at a scale and pace typical of institutions,\u201d <\/em><a href=\"https:\/\/www.coindesk.com\/tech\/2026\/04\/22\/lazarus-group-has-become-especially-dangerous-with-new-mach-o-man-attack-certik\"><em>noted<\/em><\/a><em> CertiK senior blockchain security researcher Natalie Newson.\u00a0<\/em><\/p>\n<\/blockquote>\n<p>In April, an Ethereum Foundation fellow <a href=\"https:\/\/u1f987.com\/en\/news\/ethereum-foundation-scholar-uncovers-100-north-korean-it-agents-in-web3-firms\">identified<\/a> 100 North Korean IT agents in Web3 companies.\u00a0<\/p>\n<p>Previously, a network of North Korean specialists in the crypto industry was also <a href=\"https:\/\/u1f987.com\/en\/news\/password-123456-exposes-a-dprk-it-worker-network-in-crypto\">discovered<\/a> by an on-chain detective.\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Lazarus Group has discovered a new method of infiltrating victims&#8217; systems through ordinary work calls, according to cybersecurity expert Mauro Eldritch.<\/p>\n","protected":false},"author":1,"featured_media":96413,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"macOS users are at risk.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44,1111,1125,1202],"class_list":["post-96412","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime","tag-cybersecurity","tag-lazarus","tag-north-korea-dprk"],"aioseo_notices":[],"amp_enabled":true,"views":"18","promo_type":"1","layout_type":"1","short_excerpt":"macOS users are at risk.","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/96412","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=96412"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/96412\/revisions"}],"predecessor-version":[{"id":96414,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/96412\/revisions\/96414"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/96413"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=96412"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=96412"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=96412"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}