Security researchers have identified a new malware kit called "Mach-O Man", linked to Lazarus Group - the North Korean hacking operation behind some of crypto's biggest thefts. The attacks target executives at crypto companies and fintech firms running macOS. Victims get pulled into a fake video call, where one terminal command gives attackers full access to the system.
Why ClickFix is hard to stop
ClickFix tricks people, not systems. A victim gets an invite to what looks like a corporate meeting. The meeting page shows a "technical error" asking the user to fix it through the terminal. The victim runs the command - attackers do not need to break in from outside at all.
Mauro Eldritch, founder of cyber threat intelligence firm BCA Ltd, reconstructed the malware kit using cloud-based sandbox Any.run and published a technical report on April 22. He notes the virus loads silently after the command runs, bypassing conventional security controls. The antivirus sees a clean system command, not a malicious file - and blocks nothing.
What the malware collects - and how it disappears
The final stage deploys a stealer that pulls data from browser extensions, saved passwords, cookies, and macOS Keychain entries. Everything gets packed into a ZIP archive and sent to the attackers through a Telegram bot. After the transfer, the malware self-deletes using the system rm command, which skips user confirmation when removing files.
The victim may never realize anything happened - the malicious file is already gone. Digital investigators have to reconstruct the attack from network logs and system traces. Consequences can range from account takeovers to full corporate infrastructure access and financial losses.
A group with a billion-dollar track record
Lazarus Group is the main suspect behind crypto's largest thefts. In 2025, the group stole $1.4 billion from exchange Bybit - the biggest single hack in crypto history. Analysts estimate the group pulled at least $578 million from the market in April 2026 alone.
Earlier this month, a similar social engineering campaign hit crypto wallet Zerion: attackers got hold of active sessions, login credentials, and private keys from several team members, resulting in roughly $100,000 in losses. The Zerion case confirmed the shift: Lazarus has moved away from technical exploits toward manipulating people directly - and it is working.
Who is at risk
The primary targets are executives and security staff at crypto and fintech companies. But any employee receiving video call invites from unfamiliar or loosely known contacts can end up in the same position. macOS offers no protection here - the kit was built specifically for that platform.
- Zoom or Meet invites from strangers - check the sender before clicking any link
- Any terminal command during a call is always a red flag, with no exceptions
- Limit browser extensions - their data gets collected first
- Two-factor authentication makes account takeover significantly harder even after password theft
No traces left - that is the new normal
The malware's self-deletion after data collection changes how security teams investigate and defend. A traditional antivirus looks for a malicious file. But the file is already gone. Companies need real-time network traffic monitoring and regular staff security training - not just perimeter defenses.
Holders of Bitcoin and other crypto assets in corporate wallets face the risk of losing funds not through a code vulnerability, but through one wrong click. That is what makes "Mach-O Man" one of the more dangerous tools in North Korea's current arsenal.
Comments
Your email address will not be published. Required fields are marked *