Mach-O Man Malware: What CISOs Need to Know
Essential information
- Published
- 22/04/2026 01:40
- Modified
- 22/04/2026 08:59
- Tags
- 2026-04-22 browser stealing clickfix credential-theft fintech targeting mach-o binaries mach-o man macos pylangghostrat social engineering telegram exfiltration
- Related entities
- 15 observables, 1 intrusion sets (apt), 20 techniques (mitre), 2 malware, 4 others
Description
Lazarus Group is conducting an active campaign targeting businesses through ClickFix attacks, distributing a newly identified macOS malware kit called "Mach-O Man". The attack begins with fake meeting invitations via Telegram, redirecting victims to fraudulent collaboration platforms impersonating Zoom, Microsoft Teams, or Google Meet. Victims are tricked into executing terminal commands that install the malware. The kit consists of Go-based Mach-O binaries including a stager, profiler, persistence mechanism, and stealer. The malware collects credentials, browser data, and macOS Keychain entries, exfiltrating data through Telegram. Primary targets include fintech, crypto, and high-value environments where macOS is prevalent. The campaign leverages social engineering and native macOS binaries to evade traditional EDR detection, ultimately enabling account takeover, unauthorized infrastructure access, and financial loss.