Overview
- Security firm CertiK, which published its findings Wednesday, said Lazarus is running a macOS campaign called Mach-O Man aimed at leaders in crypto and fintech.
- The lures arrive as fake Zoom or Teams invites sent through compromised Telegram accounts that push a ClickFix-style command, and researchers urge staff to verify meeting requests over a second channel before acting.
- Once the command is pasted into Terminal, attackers gain direct access to corporate systems and financial tools through a modular kit built from native Mach-O binaries.
- Analysts say the toolkit profiles Macs, can establish persistence, and exfiltrates credentials and browser data via a Telegram-based control channel, then often erases itself to foil forensics.
- CertiK and SOC Prime tie the campaign and related tradecraft to recent nine-figure drains at Drift and KelpDAO, while LayerZero blamed a single-point-of-failure verifier for enabling forged cross‑chain messages in the KelpDAO attack, and researchers note Lazarus has stolen about $6.7 billion since 2017.