Mach-O Man Malware Steals macOS Keychain Data in Lazarus Group Crypto Campaign

Key Takeaways:

• North Korea’s Lazarus Group deployed Mach-O Man malware targeting macOS users successful crypto and fintech roles successful April 2026.
• Bitso’s Quetzal Team confirmed the Go-compiled kit enables credential theft, Keychain access, and information exfiltration via 4 stages.
• Security researchers urged firms connected April 22, 2026, to artifact Terminal-based ClickFix lures and audit LaunchAgents for Onedrive masquerading files.

Researchers Expose North Korean macOS Malware Targeting U.S. Crypto and Web3 Firms

Security researchers astatine Bitso’s Quetzal Team, moving alongside the ANY.RUN sandbox platform, publically disclosed the kit connected April 21, 2026, aft analyzing a run they named “North Korea’s Safari.” The squad connected the kit to Lazarus’s caller large-scale crypto thefts, including attacks connected KelpDAO and Drift, citing the group’s accordant targeting of high-value macOS users successful Web3 and fintech roles.

Mach-O Man is written successful Go and compiled arsenic Mach-O binaries, making it autochthonal to some Intel and Apple Silicon machines. The kit runs successful 4 chiseled stages and is designed to harvest browser credentials, macOS Keychain entries, and crypto relationship entree earlier deleting traces of itself.

The corruption begins with societal engineering, not a bundle exploit. Attackers compromise oregon impersonate Telegram accounts belonging to colleagues successful Web3 and crypto circles. The people receives an urgent gathering invitation for Zoom, Microsoft Teams, oregon Google Meet that links to a convincing fake site, specified arsenic update-teams.live oregon livemicrosft.com.

The fake tract displays a simulated transportation mistake and instructs the idiosyncratic to transcript and paste a Terminal bid to resoluteness it. This technique, known arsenic Clickfix and adapted present for macOS, leads the idiosyncratic to execute the archetypal stager file, teamsSDK.bin, via curl. Because the idiosyncratic runs the bid manually, macOS Gatekeeper does not artifact it.

The stager downloads a fake app bundle, applies ad-hoc codification signing to marque it look legitimate, and prompts the idiosyncratic for their macOS password. The model shakes connected the archetypal 2 attempts and accepts the credential connected the third, a deliberate plan prime to physique mendacious trust.

From there, the researcher’s report, and other accounts accidental a profiler binary enumerates the machine’s hostname, UUID, CPU, operating strategy details, moving processes, and browser extensions crossed Brave, Chrome, Firefox, Safari, Opera, and Vivaldi. Researchers noted the profiler contains a coding bug that creates an infinite loop, causing noticeable CPU spikes that tin exposure an progressive infection.

A persistence module past drops a renamed record called Onedrive into a hidden way nether a folder labeled “Antivirus Service” and registers a Launchagent called com.onedrive.launcher.plist truthful it runs automatically astatine login.

The last stage, a stealer binary labeled macrasv2, collects browser hold data, SQLite credential databases, and Keychain items, compresses them into a zip file, and exfiltrates the bundle done the Telegram Bot API. Researchers recovered the Telegram bot token exposed successful the binary, which they described arsenic a large operational information nonaccomplishment that could let defenders to show oregon disrupt the channel.

The Quetzal Team published SHA-256 hashes for each large components, on with web indicators pointing to IP addresses 172.86.113.102 and 144.172.114.220. Security researchers noted the kit has been observed successful usage by groups beyond Lazarus, suggesting the tooling has been shared oregon sold wrong the menace histrion ecosystem.

Lazarus, besides tracked arsenic Famous Chollima by menace quality firms, has been attributed to billions of dollars successful cryptocurrency theft implicit the past respective years. The group’s anterior macOS tools included Applejeus and Rustbucket. Mach-O Man follows the aforesaid people illustration portion lowering the method obstruction for macOS compromises.

Security teams astatine crypto and fintech firms are advised to audit Launchagents directories, show for Onedrive processes moving from antithetic record paths, and artifact outbound Telegram Bot API postulation wherever it is not operationally required. Users should ne'er paste Terminal commands copied from web pages oregon unsolicited gathering links.

Organizations moving macOS fleets successful Apple-heavy crypto environments should dainty immoderate urgent, unsolicited gathering nexus arsenic a imaginable introduction constituent until verified done a abstracted connection channel.