What is the Lazarus-linked macOS malware campaign?

The Lazarus Group is linked to a new macOS malware campaign called “Mach-O Man.” It targets crypto and fintech firms using social engineering tactics. The malware is designed to steal credentials and gain access to corporate systems.

How does the “Mach-O Man” malware infect victims?

Attackers lure victims into fake Zoom or Google Meet calls and prompt them to run malicious commands. These commands silently install the malware in the background. This method bypasses traditional security controls and avoids detection.

What is “ClickFix” and how is it used in this attack?

“ClickFix” is a social engineering technique used to trick users into executing commands themselves. Instead of exploiting software vulnerabilities, attackers rely on human error. This makes the attack harder to detect with standard security tools.

What data does the macOS malware steal from infected devices?

The malware extracts browser credentials, cookies, extension data, and macOS Keychain information. It can also access sensitive corporate data and login sessions. This information is then packaged and sent to attackers via Telegram.

What are the risks for crypto and fintech companies?

The campaign can lead to account takeovers, unauthorised system access, and financial losses. It also risks exposing critical internal data and infrastructure. These attacks can have both immediate financial impact and long-term security consequences.

How does the malware avoid detection after infection?

After stealing data, the malware deletes itself using system commands that bypass user confirmation. This makes forensic analysis and detection more difficult. It helps attackers remain hidden after completing the attack.

Why is the Lazarus Group significant in crypto security?

The Lazarus Group has been linked to some of the largest crypto hacks, including the $1.4 billion breach of Bybit in 2025. It is known for targeting exchanges, wallets, and now broader fintech infrastructure.

How does this attack differ from typical crypto hacks?

Unlike smart contract exploits or exchange breaches, this attack targets individuals and employees directly. It relies on social engineering rather than technical vulnerabilities. This makes it more difficult to defend against with traditional blockchain security measures.

Lazarus malware targets macOS crypto firms via zoom

Written by Isaac FrancisPublished Apr. 23 2026Last Updated Apr. 23 2026

A new macOS malware campaign linked to the Lazarus Group is targeting crypto and fintech firms through social engineering attacks disguised as video calls.

Security researchers said the “Mach-O Man” malware is distributed via fake Zoom or Google Meet sessions that trick victims into executing malicious commands.

“Victims are lured into a fake Zoom or Google Meet call where they are prompted to execute commands that download the malware in the background,”

Said Mauro Eldritch.

The attack allows hackers to bypass traditional security controls, gaining access to credentials, corporate systems and sensitive infrastructure without detection.

The malware ultimately deploys a data-stealing payload that extracts browser credentials, cookies, macOS Keychain data and other sensitive information before exfiltrating it via Telegram.

The Lazarus Group has been linked to some of the largest crypto thefts, including the $1.4 billion hack of the Bybit in 2025, highlighting its continued focus on high-value targets.

Researchers warn the campaign reflects a broader expansion of Lazarus tactics beyond crypto-native firms, increasing risks for traditional financial and technology companies.