Lazarus Group is abusing “ClickFix” social engineering to push a new macOS malware kit dubbed “Mach-O Man,” giving attackers a direct path to credentials, Keychain secrets, and corporate access in fintech and crypto environments.
This research is authored by Mauro Eldritch, an offensive security expert and founder of BCA LTD, a company focused on threat intelligence and hunting.
You can find Mauro on X, where he has been documenting the “Mach-O Man” activity and its impact on macOS users in high‑value environments.
The latest wave of ClickFix attacks shows that simply convincing users to run commands is often enough to bypass technical controls, and Lazarus has quickly weaponized this approach.
In this campaign, the group uses fake meetings and trusted channels to deliver a modular Mach‑O malware kit that runs natively on both Intel and Apple Silicon Macs.
How the Mach-O Man infection starts
The operation typically begins on Telegram, where attackers impersonate colleagues or business contacts to send urgent meeting invitations to executives, developers, and decision‑makers in fintech and crypto firms.
Victims are redirected to convincing phishing sites that imitate Zoom, Microsoft Teams, or Google Meet and claim there is a connection issue that must be fixed manually.
The full malware kit with all its components and variants (Source : ANY.RUN).
Instead of exploiting a software bug, the page instructs the user to copy and paste a Terminal command, a pattern now widely known as ClickFix.
Because the victim runs the command themselves, many endpoint protections fail to flag the activity, even though it immediately downloads and launches the first Mach‑O payload.
Once executed, the initial binary (often observed as teamsSDK.bin) acts as a stager that fetches fake macOS applications mimicking conferencing tools or generic system dialogs.
Stager teamsSDK.bin usage (Source : ANY.RUN).
These fake apps repeatedly prompt the user for their password in broken English, pretending that the first attempts are incorrect before silently moving to the next stage.
Behind the scenes, a second module (variants such as D1YrHRTg.bin) profiles the system via sysctl and local tools, collecting host identifiers, OS details, network configuration, processes, and browser extension data for major browsers, including Chrome, Safari, Brave, and others.
Researchers note that parts of the kit are poorly written, with some profilers entering infinite loops that continuously POST the same data to command‑and‑control servers and can spike resource usage on infected Macs.
The malware uses the macOS codesign utility to apply ad‑hoc signatures, helping the apps appear legitimate enough to run under standard execution policies.
Fake Teams App prompts for user credentials (Source : ANY.RUN).
The final stealer stage, known as macrasv2, aggregates high‑value data from the system before exfiltration.
It targets browser-stored credentials and cookies, macOS Keychain entries, and other files that can grant access to SaaS platforms, internal infrastructure, and crypto wallets, then compresses them into an archive such as user_ext.zip.
Why this matters for macOS
For CISOs, the key risk is that a single compromised macOS device can translate into full access to internal systems or crypto assets, especially in organizations where Macs are standard for developers and leadership.
Subsequent components, such as minst2.bin, establish persistence by dropping a disguised binary (for example, masquerading as OneDrive) under an “Antivirus Service” folder and registering it as a LaunchAgent to run at every login.
A Bash service is created for persistence (Source : ANY.RUN).
Because the chain relies on user‑driven commands and native utilities instead of classic exploits, many traditional EDR deployments see little more than “normal” user activity until credentials and sessions are already gone.
Defenders should focus on blocking ClickFix-style lures, monitoring for suspicious Terminal usage, auditing LaunchAgents for fake “Antivirus” or OneDrive entries, and flagging outbound traffic to unusual ports and Telegram APIs from macOS hosts.
Interactive, cross‑platform sandboxing such as running suspicious URLs and macOS binaries inside an isolated VM has proven crucial in rapidly reconstructing the full Mach‑O Man chain and extracting indicators of compromise for enterprise detection.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
