{
  "name": "Mach-O Man Malware: What CISOs Need to Know",
  "slug": "mach-o-man-malware-what-cisos-need-to-know",
  "description": "Lazarus Group is conducting an active campaign targeting businesses through ClickFix attacks, distributing a newly identified macOS malware kit called \"Mach-O Man\". The attack begins with fake meeting invitations via Telegram, redirecting victims to fraudulent collaboration platforms impersonating Zoom, Microsoft Teams, or Google Meet. Victims are tricked into executing terminal commands that install the malware. The kit consists of Go-based Mach-O binaries including a stager, profiler, persistence mechanism, and stealer. The malware collects credentials, browser data, and macOS Keychain entries, exfiltrating data through Telegram. Primary targets include fintech, crypto, and high-value environments where macOS is prevalent. The campaign leverages social engineering and native macOS binaries to evade traditional EDR detection, ultimately enabling account takeover, unauthorized infrastructure access, and financial loss.",
  "published": "2026-04-21T23:40:36+00:00",
  "created_at": "2026-04-21T23:40:36+00:00",
  "modified_at": "2026-04-22T06:59:52+00:00",
  "created_at_opencti": "2026-04-21T23:40:36+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-04-22",
    "browser stealing",
    "clickfix",
    "credential-theft",
    "fintech targeting",
    "mach-o binaries",
    "mach-o man",
    "macos",
    "pylangghostrat",
    "social engineering",
    "telegram exfiltration"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "172.86.113.102"
      },
      {
        "id": "",
        "name": "http://livemicrosft.com/meet/89035563931?p=9jXK14VFM8fObdKxfkake8tD7rPhzs.1"
      },
      {
        "id": "",
        "name": "http://172.86.113.102/localencode"
      },
      {
        "id": "",
        "name": "http://update-teams.live/teams"
      },
      {
        "id": "",
        "name": "a73ce18952b40fd621789e43c56b2af08d1497ce3560b2481fa973d8265ce491"
      },
      {
        "id": "",
        "name": "89616a503ffee8fc70f13c82c4a5e4fa4efafa61410971f4327ed38328af2938"
      },
      {
        "id": "",
        "name": "dfee6ea9cafc674b93a8460b9e6beea7f0eb0c28e28d1190309347fd1514dbb6"
      },
      {
        "id": "",
        "name": "871d8f92b008a75607c9f1feb4922b9a02ac7bd2ed61b71ca752a5bed5448bf3"
      },
      {
        "id": "",
        "name": "24af069b8899893cfc7347a4e5b46d717d77994a4b140d58de0be029dba686c9"
      },
      {
        "id": "",
        "name": "85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c"
      },
      {
        "id": "",
        "name": "cc31b3dc8aeed0af9dd24b7e739f183527d55d5b5ecd3d93ba45dd4aaa8ba260"
      },
      {
        "id": "",
        "name": "a9562ab6bce06e92d4e428088eacc1e990e67ceae6f6940047360261b5599614"
      },
      {
        "id": "",
        "name": "eb3eae776d175f7fb2fb9986c89154102ba8eabfde10a155af4dfb18f28be1b5"
      },
      {
        "id": "",
        "name": "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90"
      },
      {
        "id": "",
        "name": "4b08a9e221a20b8024cf778d113732b3e12d363250231e78bae13b1f1dc1495b"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:8f78ea5464b2ffe8",
        "name": "Mach-O Man",
        "slug": "mach-o-man"
      },
      {
        "id": "legacy:malware:dc1a99b679168b0f",
        "name": "PyLangGhostRAT",
        "slug": "pylangghostrat"
      }
    ],
    "intrusion_sets": [
      {
        "id": "f84d0d4c-ec28-4155-b729-8e2c337a0d90",
        "name": "Lazarus Group",
        "slug": "lazarus-group"
      }
    ],
    "attack_patterns": [
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "32817170-4c07-427e-b8a5-80a733ae2550",
        "name": "T1497"
      },
      {
        "id": "6a146066-5a78-493c-a26a-133b62c1149e",
        "name": "T1588.002"
      },
      {
        "id": "a58c2bff-7d90-4816-93fd-aa0b6beca12e",
        "name": "T1124"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "a72b6e11-a5d5-4f5a-8f0d-8861e90c34f7",
        "name": "T1555"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "31d29704-da1c-47ea-b93f-76d368813bdf",
        "name": "T1560"
      },
      {
        "id": "880d45b0-e336-4f1a-8893-2796195f5500",
        "name": "T1543.001"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "2e0c6db7-16a7-4bf6-992e-263474014fce",
        "name": "T1059.004"
      },
      {
        "id": "4804e5ac-a5df-496d-899f-3664ea857672",
        "name": "T1548.003"
      },
      {
        "id": "3245033a-53c4-454c-873a-fb653af0bf8a",
        "name": "T1552"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "232fbdfa-94c6-443d-b575-373e75b4f4c2",
        "name": "T1567"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "7911f1c3-e86b-4e33-afea-9a054b0295dc",
        "name": "T1222"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Finance"
      },
      {
        "id": "",
        "name": "Technology"
      },
      {
        "id": "",
        "name": "livemicrosft.com"
      },
      {
        "id": "",
        "name": "update-teams.live"
      }
    ]
  },
  "external_refs": [
    "https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/",
    "https://otx.alienvault.com/pulse/69e82714e5cf2d1fb9fe1b0a"
  ]
}