- Lazarus Group is deploying a novel macOS malware kit dubbed “Mach-O Man” targeting business leaders via Telegram.
- The ClickFix attack tricks users into copy-pasting commands to “fix” fake meeting issues, leading to multi-stage infection ending in Keychain theft.
- Operators exposed their Telegram bot token—making the C2 server trivial to enumerate and betraying operational security.
Lazarus Group has ramped up a campaign targeting business executives and crypto professionals with a newly identified macOS malware kit, named “Mach-O Man,” that turns routine meeting invitations into credential theft and data loss.
According to ANY.RUN’s analysis, the attack starts with a Telegram message from a compromised contact sharing a link to a fake Zoom, Microsoft Teams, or Google Meet page.
Instead of exploiting a software vulnerability, the attackers rely on social engineering. The page displays an error message instructing the user to copy and execute a terminal command to “resolve” a connection issue. That single action initiates a multi-stage infection chain that ultimately harvests browser credentials, session cookies, and macOS Keychain entries—the deepest credential store on a Mac.
“This is not a technical compromise—it’s a psychological one,” wrote the ANY.RUN research team. “The user performs the malicious action themselves, bypassing many traditional security controls because no exploit is involved.”
Four-Stage Infection Chain
The Mach-O Man kit is a collection of Go-compiled Mach-O binaries that work in sequence. First, teamsSDK.bin acts as a stager, displaying a usage message that reveals activation details when run without arguments—a “kind gesture” that makes reverse engineering easier.
When properly invoked, it downloads a fake macOS application impersonating a meeting platform. The app prompts for the user’s password in broken English, shaking the window on the first two incorrect attempts (even if the password is right, it fails anyway), then “succeeds” on the third try and displays a Zoom logo to feign legitimacy.
The second stage retrieves a payload named D1??????.bin (random 6-char suffix) from the C2’s /payload endpoint. This binary acts as a system profiler, using sysctl and local tools to collect hostname, CPU type, OS version, network interfaces, and running processes. This information is written to a text file and POSTed back to the command-and-control server.
Third, minst2.bin establishes persistence by creating a LaunchAgent—macOS’s equivalent of a Windows Service—that executes the malware at startup. Finally, macrasv2 is downloaded as the main stealer. It stages all collected data—browser extension data, credentials, cookies from SQLite databases, Keychain entries—into a user_ext.zip archive before exfiltration.
Operational Security Fail of the Highest Order
The most stunning aspect of this campaign is the operators’ own carelessness. Exfiltration happens via Telegram, a legitimate service that blends with normal traffic—smart in theory. But the researchers discovered that the attackers exposed their bot token in the code, effectively allowing anyone to interact with the Telegram bot, read its messages, and even identify its owner.
“This not only weakens their operational security but also simulates what would happen if the bot were taken over,” the ANY.RUN team noted. With the token, defenders could potentially intercept stolen data or even send crafted responses to disrupt the operation.
The malware also includes a self-deletion script, delete_self.sh, which removes its own components using rm once the job is done. This is textbook operational hygiene—shame about the leaked bot token.
Lazarus’s macOS Focus Intensifies
Lazarus Group, the North Korean state-backed threat actor, has been expanding its macOS toolkit in recent years. This latest kit represents a significant investment in native macOS capabilities—Go-compiled Mach-O binaries, LaunchAgent persistence, Keychain access, all packaged as a coherent multi-stage framework.
The targeting pattern also remains consistent: crypto and fintech firms, accessed through compromised business contacts on Telegram. The endgame is financial: credential theft leading to cryptocurrency wallet access, corporate account takeover, and wire fraud. Recent high-profile crypto heists show the payoff for these attacks.
For SOC teams, the silver lining is that the full attack chain was reconstructed in a sandbox environment in record time. The behavioral indicators—unusual sysctl queries, LaunchAgent creation, fake Zoom UI with three-attempt password windows, Telegram exfiltration—provide concrete detection signatures. As Lazarus refines its approach, defenders have a clear blueprint of what to hunt for.
The malware’s novelty means it would typically require weeks of reverse engineering; ANY.RUN’s interactive macOS analysis compressed that to hours. That speed matters when credentials are actively being stolen.
