The attack method involves the victim themselves executing the command that installs the malware.
The kit exfiltrates stolen data through Telegram, using the service as an outbound channel.
Mauro Eldritch, offensive security expert and founder of the company BCA LTD, published this April 21 on the ANY.RUN cybersecurity platform an analysis of “Mach-O Man”, a native malware kit for macOS attributed to the Lazarus Group of North Korea.
According to Eldritch’s analysis, based on Bitso’s Quetzal Team report from April 13, “the Lazarus Group is actively carrying out a campaign that “Turns routine business communication into a direct route to credential theft and data loss.”.
The campaign targets financial technology companies and the cryptocurrency ecosystem, sectors where macOS is the predominant operating system among developers and executives, warned the expert
The attack begins with a fake meeting invitation sent by Telegramfrequently from compromised accounts of known contacts of the victim. This invitation redirects to a site that imitates platforms such as Zoom, Teams or Google Meet.
The site displays a fake error message and instructs the user to copy and paste a command into their computer’s terminal to “resolve the connection issue,” Eldritch says.
In this context, the cybersecurity analyst known in X as Vladimir S described the mechanism as follows:
You receive an urgent invitation to a meeting on Telegram. The link leads to a convincing fake site that asks you to paste a simple command into your Mac’s terminal to ‘fix the connection issue’. You run it… and Mach-O Man has just taken control of your Mac.
Vladimir S, cybersecurity analyst.
The Lazarus Group kit targets people, does not violate the code
The critical point, according to Eldritch’s analysis of the Quetzal Team report, is that The attack does not exploit any technical vulnerability of the operating system. The victim executes the command voluntarily, allowing the malware to evade many traditional security controls designed to detect automated intrusions.
Eldritch also noted that the kit deploys four components in sequence:
- The first downloads malicious binaries compiled in Gothe programming language with which the kit is built.
- The second collects system informationincluding active processes, network settings and browser extensions such as Chrome, Safari and Brave.
- The third party installs a persistence mechanism disguised as an application called OneDrivewhich ensures that the malware is reactivated at each login.
- The fourth and final component steals credentials stored in the macOS keychain (the system where the operating system saves passwords and access keys), session cookies and sensitive files, and exfiltrates them through Telegram using an automated bot as an exit channel.
The link to cryptocurrency theft is direct. The macOS keychain may contain private keys or recovery phrases of digital wallets. Combined with active session cookies from exchanges or escrow platforms, those credentials give the attacker immediate access to the victim’s funds without needing to breach any additional protocols.
Eldritch indicated in his investigation that several components of the kit have code errors, including one that enters an infinite loop that can reveal its presence by consuming system resources anomalously. These failures suggest that the kit was not thoroughly tested before distribution.
According to the report From Quetzal Team, the priority targets are executives and decision makers in fintech and crypto companies, precisely because their devices concentrate access to critical infrastructure and financial assets.
Lazarus, the same group behind the Kelp DAO hack
The Clandestine Analyst summarized the extent of the risk: “A compromised machine can give attackers complete access to corporate infrastructure.”
This warning takes on additional weight in the recent context of the cryptocurrency ecosystem. As reported by CriptoNoticias, the April 18 hack of Kelp DAO, which drained USD 292 million, was attributed by LayerZero to the Lazarus Group itself, specifically to its TraderTraitor unit.
As explained by the LayerZero team, the Lazarus Group demonstrated a detailed understanding of the attacked infrastructure and operated with unusual speed and precision.
In this context, the “Mach-O Man” kit suggests that this level of sophistication is not limited to attacks on protocol infrastructure, but extends to social engineering campaigns aimed at the human teams that operate them.