The Lazarus Group is targeting macOS users in fintech and crypto via a "ClickFix" campaign using new Mach-O Man malware. The attack vector is phishing emails with urgent meeting links that lead to fake video conferencing sites prompting victims to run a malicious Terminal command, which deploys credential-stealing fake apps and the macrasv2 stealer. Organizations are urged to reinforce defenses against such social engineering lures; no specific CVSS score, affected versions, patches, or workarounds are detailed in the article.
Malware , Threat Intelligence New Mach-O Man malware tapped by Lazarus in macOS-targeted ClickFix attacks May 1, 2026 Share By SC Staff High-level fintech and cryptocurrency individuals, including executives and developers, have had their macOS environments targeted by the North Korean hacking collective Lazarus Group with the new Mach-O Man malware kit in a new ClickFix campaign, reports GBHackers News . Attacks commenced with the delivery of urgent meeting invites purportedly from business contacts or colleagues that include links diverting to fake Microsoft Teams, Zoom, or Google Meet websites that display a connection issue, which requires command execution in Terminal to be resolved, according to an analysis by BCA LTD founder Mauro Eldritch. Running the command launches the initial staging binary that retrieves bogus macOS apps that seek to obtain targets' credentials, while a secondary module facilitates system profiling to obtain OS details, host identifiers, network configuration data, and browser extension information, before the eventual injection of the macrasv2 stealer. Aside from stealing browser-stored credentials and cookies, such a stealer also exfiltrates Keychain secrets and other files that would allow software-as-a-service platform breaches. While the Mach-O Man kit is poorly written, organizations' network defenders have still been urged to reinforce defenses against ClickFix-style lures. SC Staff Related Malware Novel Minecraft-targeting stealer tapped by reemergent LofyGang SC Staff April 30, 2026 Brazilian threat group LofyGang has resurfaced to compromise Minecraft players with the novel LofyStealer malware, also known as GrabBot, more than three years after its last attack campaign, The Hacker News reports. Malware North Korean hackers use AI-generated video calls to target crypto firms SC Staff April 29, 2026 The attackers create convincing fake Zoom video call websites using AI-generated headshots and semi-animated videos. Malware Novel multi-stage malware campaign stealthily targets Pakistan SC Staff April 29, 2026 More refined obfuscation tactics have been leveraged in a new multi-stage malware campaign targeted at the employees of Pakistan's Punjab Safe Cities Authority and Punjab Police Integrated Command, Control & Communication Centre, GBHackers News reports. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Corruption DNS Spoofing Darknet Deauthentication Attack Denial of Service Dictionary Attack Domain Hijacking Drive-by Download DumpSec Reconnaissance You can skip this ad in 5 seconds