New Lazarus APT Campaign: “Mach-O Man” macOS Malware Kit Hits Businesses

2026-04-21 • Any Run •

https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/

#macOS #Lazarus #ClickFix #T1082 #T1005 #T1555 #T1560 #T1083 #T1497 #T1567 #T1543.001 #T1548.003 #T1124 #T1222 #T1204 #T1552 #T1057

Thumbnail for New Lazarus APT Campaign: “Mach-O Man” macOS Malware Kit Hits Businesses

ANY.RUN attributes an active ClickFix-style macOS campaign to Lazarus Group, with fake meeting lures delivered through Telegram and impersonated Zoom, Teams, or Google Meet pages. Victims are instructed to run terminal commands that install the Go-based Mach-O Man Mach-O malware kit, starting with a stager that downloads fake macOS applications and follow-on binaries. The chain profiles the host, targets browsers including Brave, Vivaldi, Opera, Chrome, Firefox, and Safari, establishes persistence through a LaunchAgent under an “Antivirus Service” folder, and stages credentials, cookies, browser extension data, macOS Keychain entries, and other files for theft. Telegram is also described as an exfiltration channel, making the campaign especially relevant to fintech, crypto, and other high-value macOS-heavy environments where a single compromised developer or executive device can expose infrastructure and financial assets.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	a73ce18952b40fd621789e43c56b2af…	2026-04-21	2026-04-21
DOMAIN	livemicrosft.com	2026-04-21	2026-04-21
IPv4	172.86.113.102	2026-04-21	2026-04-21
IPv4	144.172.114.220	2026-04-14	2026-04-21
HASH	dfee6ea9cafc674b93a8460b9e6beea…	2026-04-13	2026-04-21
HASH	cc31b3dc8aeed0af9dd24b7e739f183…	2026-04-13	2026-04-21
HASH	0f41fd82cac71e27c36eb90c0bf305d…	2026-04-13	2026-04-21
HASH	eb3eae776d175f7fb2fb9986c891541…	2026-04-13	2026-04-21
HASH	4b08a9e221a20b8024cf778d113732b…	2026-04-13	2026-04-21
HASH	871d8f92b008a75607c9f1feb4922b9…	2026-04-13	2026-04-21
HASH	24af069b8899893cfc7347a4e5b46d7…	2026-04-13	2026-04-21
HASH	89616a503ffee8fc70f13c82c4a5e4f…	2026-04-13	2026-04-21
HASH	85bed283ba95d40d99e79437e6a3161…	2026-04-13	2026-04-21
HASH	a9562ab6bce06e92d4e428088eacc1e…	2026-04-13	2026-04-21

Related Actors

Lazarus

Novetta

First seen: Feb 2016

Last seen: Jun 2026

Related Reports

2026-04-13 • 50% Match

North Korea's Safari: Hunting for RATs

Bitso

#FamousChollima #ClickFix

Shares tag: ClickFix • Shares 10 IOCs • Published within a month

2026-04-30 • 49% Match

DPRK Contagious Interview: Developer Workflow Compromise

Domaintools

#ContagiousInterview #Lazarus #T1005 #T1555 #T1059.006 #T1204.001 #T1059.007 #T1036 #T1059.004 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1555.003 #T1567 #T1071

Shares tags: Lazarus, T1005, T1555 • Published within a month

2024-07-19 • 45% Match

APT Quarterly Highlights : Q2 2024

Cyfirma

#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584

Shares tags: Lazarus, T1082, T1005

2026-05-20 • 42% Match