What Is Mach-O Man? The New Lazarus Malware Targeting Crypto and Fintech

Key Takeaways

Mach-O Man is a new macOS malware targeting the crypto and fintech sectors.
Lazarus Group has developed this malware as part of a new wave of attacks.
North Korea uses Lazarus to steal funds through cyber operations.

A fresh threat has emerged in the crypto and fintech sectors as of Apr. 21.

North Korea-linked Lazarus Group has deployed “Mach-O Man,” a native macOS malware kit designed to target high-value executives, developers, and decision-makers.

The campaign blends traditional social engineering with custom Mach-O binaries to bypass standard defenses.

Security researchers at ANY.RUN first detailed the toolkit, which specifically targets macOS systems widely used across crypto firms.

In many cases, a single copied command during a fake meeting can expose sensitive credentials directly to attackers.

Mach-O Man in Action: How the Malware Infects Systems and Endangers Crypto

Phase 1

The attack begins with a convincing lure.

Victims receive an urgent meeting invite via Telegram, often from a compromised account, asking them to join a Zoom, Microsoft Teams, or Google Meet session.

The link redirects to a fake support page claiming a connection issue.

From there, the victim is instructed to copy and paste a simple command into the Mac Terminal to “fix” the problem.

That command executes the first stage—a Go-compiled stager such as teamsSDK.bin.

Once triggered, the stager downloads a fake macOS application bundle designed to mimic legitimate software.

It even uses the built-in codesign tool for an ad hoc signature, making it appear trusted to Gatekeeper.

Phase 2

The next phase focuses on profiling.

A second binary, such as D1YrHRTg.bin, collects system data including hostname, UUID, CPU details, boot time, OS version, network configuration, running processes, and browser extensions across Chrome, Firefox, Safari, Brave, Opera, and Vivaldi.

This data is compressed and sent to a command-and-control server. Persistence is established quickly.

Another component, minst2.bin, installs a disguised executable—often labeled as a OneDrive process—inside a folder named “Antivirus Service,” along with a LaunchAgent plist that ensures the malware restarts on login.

Phase 3

The final payload, macrasv2, targets sensitive data.

It extracts browser cookies, stored credentials from SQLite databases, and entries from the macOS Keychain.

The data is packaged into a file (typically user_ext.zip) and exfiltrated via a Telegram bot API. Cleanup scripts then remove traces, leaving minimal evidence behind.

For crypto firms, the implications are serious.

A single compromised machine can expose wallet seed phrases, exchange API keys, multisig approvals, or internal admin systems.

From there, attackers can gain persistent access to corporate networks, browser sessions, and stored credentials.

In practice, this opens the door to unauthorized fund transfers, smart contract manipulation, or broader supply-chain attacks.

Because macOS is widely used in development and trading environments, Mach-O Man turns everyday workflows into potential entry points for large-scale breaches.

Lazarus Group’s Rising Sophistication: From Hacks to Infiltration

Lazarus Group has moved well beyond traditional “smash-and-grab” attacks.

The group now focuses on long-term infiltration, embedding operatives within DeFi projects for extended periods.

Researchers estimate that North Korean IT workers linked to Lazarus have infiltrated nearly 40 DeFi projects since 2020.

These operatives pose as legitimate freelancers on platforms like GitHub, Discord, and LinkedIn, often using AI-generated identities and polished resumes.

Once hired, they contribute real code, build trust, and gradually gain access to sensitive systems such as private keys, repositories, and governance tools.

This approach has already paid off.

In February 2025, Lazarus was linked to a $1.5 billion exploit involving Bybit, reportedly through tampering with a third-party wallet library.

More recently, the April 2026 KelpDAO attack resulted in losses of roughly $290 million through compromised infrastructure.

Rather than relying solely on technical exploits, Lazarus combines social engineering with legitimate development work and infrastructure-level attacks.

Fake companies, supply-chain compromises, and delayed malware execution are now standard tactics.

The result is a form of intrusion that operates from within, bypassing traditional security measures.

A Persistent and Evolving Threat

Despite sanctions and ongoing enforcement efforts, Lazarus continues to expand its operations.

Blockchain analytics firms estimate the group has stolen approximately $6.75 billion in crypto since 2017, including over $2 billion in 2025 alone.

Major incidents such as the Bybit exploit and the KelpDAO attack highlight how quickly the group adapts.

When one method becomes less effective, Lazarus shifts to new tactics—whether through bridges, OTC channels, or layered laundering strategies.

State backing gives the group a significant advantage.

Funds are funneled back into North Korea’s broader programs, allowing Lazarus to reinvest in new tools, including malware kits like Mach-O Man.

Each disruption leads to further refinement, from improved obfuscation techniques to more sophisticated hybrid attacks that combine technical exploits with human manipulation.

For the crypto industry, the message is clear.

Threats are no longer limited to code vulnerabilities.

They now extend to people, workflows, and infrastructure—areas that are often harder to secure and easier to exploit.