Security researchers have linked a novel macOS malware campaign to the Lazarus Group, the North Korea-linked hacking operation responsible for some of the biggest thefts in the crypto industry.

According to Mauro Eldritch, an offensive security expert and founder of threat research firm BCA Ltd, the novel “Mach-O Man” malware kit reported Tuesday is being distributed through “ClickFix” social engineering programs to conventional businesses and crypto firms.

Victims are lured into a imitation Zoom or Google Meet call in which they are asked to execute commands that download malware in the background, allowing attackers to bypass conventional controls without detection and gain access to credentials and corporate systems, a security researcher said Tuesday report.

Researchers said the campaign could lead to account takeovers, unauthorized access to infrastructure, financial losses and disclosure of key data, underscoring that Lazarus continues to expand its targets beyond crypto companies.

The Lazarus Group is the prime suspect in some of the largest cryptocurrency hacks in history, including the $1.4 billion hack of the Bybit exchange in 2025, the largest ever in the industry.

The “Mach-o Man” kit is designed to deploy hidden malware

The final stage of the campaign is for the thief to extract browser extension data, stored browser credentials, cookies, macOS keychain entries, and other sensitive information from infected devices.

Once collected, the data is archived in a ZIP file and sent via Telegram to the attackers. Finally, the malware self-removal script removes the entire set using the system rm command, which bypasses user confirmation and permissions when deleting files.

The novel malware set was reconstructed by a security expert using the cloud-based Any.run malware analysis feature on macOS.

Related: CZ raises alarm when ‘SEAL’ team discovers 60 imitation IT workers with ties to North Korea

In early April, North Korean hackers used artificial intelligence-based social engineering programs to steal approximately $100,000 worth of funds from a Zerion crypto wallet after gaining access to some team members’ logged-in sessions, credentials and the company’s private keys, Cointelegraph reported on April 15.

Warehouse: 53 DeFi projects infiltrated, 50 million NEO tokens can be “returned”: Asia Express

Cointelegraph is committed to independent and limpid journalism. This news article has been produced in accordance with Cointelegraph’s Editorial Policy and is intended to provide true and up-to-date information. Readers are encouraged to verify the information themselves. Read our Editorial Policy https://cointelegraph.com/editorial-policy