Lazarus Mach-O Man macOS Malware Uses Fake Telegram Meeting Invites to Steal Crypto Credentials

North Korea’s Lazarus Group is deploying the “Mach-O Man” macOS malware to target crypto and fintech executives via social engineering. The attack starts with urgent meeting invites sent on Telegram, impersonating Zoom, Microsoft Teams, or Google Meet, and then redirects victims to a fake site using the ClickFix technique—prompting users to paste a terminal command to “fix” a connection issue. After execution, the Mach-O Man toolkit installs modular Mach-O components to profile the device, establish persistence, and steal credentials plus browser data. Exfiltration is routed through a Telegram-based command-and-control channel. The malware’s auto-delete behavior after execution makes incident response and forensics harder. CertiK links the campaign to Lazarus’ Famous Chollima unit and says it was delivered through compromised Telegram accounts aimed at high-value digital-asset organizations. The report also ties Mach-O Man to a wider Lazarus theft spree, with more than $500M stolen from DeFi platforms Drift and KelpDAO in the past two weeks. For crypto traders, the practical takeaway is risk control: treat unexpected meeting requests—especially those instructing terminal commands—as a high-risk Lazarus Mach-O Man social engineering attempt. Verify invites through a separate channel before clicking links or running any instructions.
Bearish
This is a credential-stealing Lazarus macOS campaign (“Mach-O Man”) tied to a very large recent theft from DeFi platforms Drift and KelpDAO. In the short term, reports of major wallet or credential compromise typically increase perceived counterparty risk, raise the probability of further account takeovers, and can trigger liquidation or risk-off positioning around the affected ecosystems (DRIFT, KELP). In the longer term, prolonged incident response, reputational damage, and potential contract/exchange access disruptions can dampen new inflows and governance/treasury confidence. That said, the malware is aimed at targeted users rather than a protocol-level exploit of every holder, so the price effect is likely strongest around tokens directly linked to the impacted DeFi systems rather than a broad market contagion.