Back

North Korean Lazarus Group Deploys New macOS Malware Amid Infrastructure Breach

Severity: High (Score: 75.5)

Sources: any.run, Cybernews, News.Bitcoin

Summary

The North Korean Lazarus Group has launched a new macOS malware kit named Mach-O Man, targeting fintech executives and developers through fake meeting invites. This malware, which uses social engineering tactics to trick users into executing malicious commands, is designed to steal credentials and crypto wallet access. The campaign, dubbed 'North Korea’s Safari', was disclosed by security researchers at Bitso’s Quetzal Team and ANY.RUN on April 21, 2026. The malware operates in four stages, collecting sensitive data and exfiltrating it via a compromised Telegram bot. Notably, the attackers' infrastructure was also breached, revealing critical vulnerabilities that could allow external actors to flood their systems with junk data. The malware's design includes coding bugs that may expose its presence through noticeable CPU spikes. Despite its flaws, the malware remains effective in compromising high-value targets. The incident highlights ongoing threats from state-sponsored cyber operations. Key Points: • Lazarus Group's Mach-O Man malware targets macOS users in fintech and crypto sectors. • Attackers use fake meeting invites to execute malware through social engineering tactics. • Critical vulnerabilities in the attackers' infrastructure were discovered, allowing potential disruption.

Key Entities

  • FAMOUS CHOLLIMA (apt_group)
  • Lazarus Group (apt_group)
  • Malware (attack_type)
  • Phishing (attack_type)
  • Drift (campaign)
  • RustBucket (campaign)
  • KelpDAO (company)
  • Volo Protocol (company)
  • Google (company)
  • North Korea (country)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • Cwe-400 - Uncontrolled Resource Consumption (cwe)
  • Cwe-434 - Unrestricted Upload Of File With Dangerous Type (cwe)
  • CWE-798 - Use of Hard-coded Credentials (cwe)
  • livemicrosft.com (domain)
  • 172.86.113.102 (ipv4)
  • AppleJeus (malware)
  • Mach-O Man (malware)
  • T1003.001 - Lsass Memory (mitre_attack)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1036 - Masquerading (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1059.004 - Unix Shell (mitre_attack)
  • Google Meet (platform)
  • MacOS (platform)
  • Meets (platform)
  • Telegram (platform)
  • Zoom (platform)
  • Microsoft Teams (tool)
  • OneDrive (tool)
  • Teams (tool)
  • Curl (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed