Mach-O Man macOS stealer targets crypto and fintech

Lazarus Group began deploying a macOS stealer called Mach-O Man in mid‑April 2026. The campaign uses Telegram meeting invitations and cloned Zoom, Teams and Google Meet pages to trick targets into running Terminal commands that install malware.

The operation focuses on developers, executives and decision makers in the crypto and fintech sectors. Compromised colleague accounts on Telegram send urgent meeting links. A clicked link opens a page that simulates a connection error and instructs the user to paste a line of code into the Mac Terminal to “fix” the issue. Executing the code installs an initial binary named teamsSDK.bin and circumvents Gatekeeper because the user initiated the action.

After the installer runs, a stager downloads a fake macOS app bundle and uses the native codesign tool to apply an ad hoc signature. The fake installer repeatedly prompts the user for their password with poorly translated messages. When installation completes, the malware fingerprints the system, sets up persistence and deploys additional payloads.

Mach-O Man is built as multiple Go‑compiled Mach‑O binaries. An early profiler module collects host identifiers and environment details including hostname, UUID, CPU characteristics, network configuration and running processes. The final payload, identified as Macrasv2, extracts browser login credentials and cookies from SQLite databases and gathers sensitive entries from the macOS Keychain. The malware also includes extension‑style collectors for Chrome, Firefox, Safari, Brave, Opera and Vivaldi.

For persistence, a component named minst2.bin drops a LaunchAgent plist file called com.onedrive.launcher.plist so the malicious process runs at user login. The process disguises itself with names such as “OneDrive” or “Antivirus Service.” Stolen data is compressed and exfiltrated to operators. Researchers found the campaign used the Telegram bot API to receive uploads and exposed a bot token on the surface. Command‑and‑control communications use simple curl POST requests on ports 8888 and 9999.

Researchers linked the code patterns and operational tradecraft to Lazarus Group, an actor attributed to North Korea. The group has been connected to prior large crypto thefts, including $625 million from Ronin Network, $1.5 billion from Bybit, $308 million from DMM Bitcoin, $292 million from KelpDAO, $285 million from Drift and $235 million from WazirX. The Mach‑O Man activity was first identified in mid‑April 2026.

The campaign does not rely on zero‑day exploits or complex privilege escalation. It depends on social engineering and trusted collaboration tools and achieves system‑level access when users execute Terminal commands while handling meeting requests.