For years, macOS was often viewed as a “safe haven” from the bulk of state-sponsored malware. That era has officially ended. North Korea’s Lazarus Group (specifically the Chollima division) has launched a sophisticated, modular malware kit dubbed “Mach-O Man.” First analyzed by researcher Mauro Eldritch in late April 2026, this Go-compiled toolkit is natively built for the Mach-O binary format, meaning it runs flawlessly on both legacy Intel Macs and the latest Apple Silicon (M1/M2/M3) chips. Targeting fintech executives and crypto developers, Mach-O Man is designed for one thing: the total exfiltration of digital assets.
The Attack Chain: The “Shaking” Password Trap
Lazarus isn’t breaking into Macs through the front door; they are tricking users into opening it. The campaign utilizes the “ClickFix” technique—a social engineering lure that exploits the urgency of remote work.
Stage 1: The Phony Fix (teamsSDK.bin)
The attack starts on Telegram. A victim receives a meeting invite for Zoom or Teams. When they click the link, a fake landing page displays a “Connection Error” and provides a terminal command to “fix” the audio.
Once the victim pastes the command into their terminal, the malware prompts for the system password. In a clever bit of psychological warfare, the password window shakes on the first two attempts—simulating a typo—before silently accepting the credentials on the third try.
Inside the Kit: A 4-Stage Execution
Mach-O Man is modular, allowing Lazarus to update or swap components without re-writing the entire infection chain.
- The Profiler (
D1YrHRTg.bin): This module inventories the machine. It collects CPU type, OS version, and a full list of installed browser extensions (Chrome, Safari, Brave, etc.) to identify where crypto wallets are stored. - The Persistence Layer (
minst2.bin): To survive a reboot, the malware creates a hidden folder named “Antivirus Service” and drops a binary disguised as OneDrive. It then installs aLaunchAgentto ensure it runs every time the user logs in. - The Stealer (
macrasv2): This is the “money maker.” It harvests browser cookies, session tokens, and macOS Keychain entries. - Exfiltration: Data is zipped and sent to the attackers via the Telegram Bot API, allowing the stolen data to blend in with legitimate network traffic.
OPSEC Failures: The Leaked Bot Token
While Lazarus is technically proficient, they are not infallible. Researchers discovered that the developers accidentally leaked their Telegram Bot Token within the binary. This allowed analysts to:
- Read the bot’s outgoing messages.
- Identify the operators’ internal handles.
- Monitor exfiltrated data in real-time, aiding in rapid takedown efforts.
Furthermore, a bug in the “Profiler” module caused some infected Macs to enter an infinite loop, repeatedly posting data to the C2 server and causing CPU usage to spike—a major “red flag” that helped victims notice the infection.
How to Protect Your macOS Environment
In a fintech or crypto setting, a single compromised Mac can be the gateway to millions in stolen assets.
- Zero-Trust Terminal: Never copy and paste commands into your Terminal from a web browser, especially those claiming to “fix” meeting software.
- Audit LaunchAgents: Regularly check
~/Library/LaunchAgentsfor unusual files. Specifically, look for directories named “Antivirus Service” or binaries masquerading as Microsoft OneDrive. - Use Hardware Keys: Since Mach-O Man targets the macOS Keychain and browser extensions, using a physical security key (like a YubiKey) for your accounts and hardware wallets for your crypto is the most effective defense.
- Block Telegram API in Corporate Nets: If your team doesn’t use Telegram for work, block
api.telegram.orgat the network level to prevent malware from “calling home.”
Conclusion: The $6.7 Billion Threat
Lazarus has stolen an estimated $6.7 billion in crypto since 2017. Mach-O Man proves that they are willing to invest heavily in platform-specific malware to keep those numbers growing. For macOS users in high-value industries, the message is clear: your OS is a target, and your Terminal is the primary weapon.
