Bitso describes renewed Famous Chollima activity against crypto and financial organizations, including a suspicious job applicant encounter and a macOS malware kit the researchers call Mach-O Man. The infection chain starts with hijacked Telegram accounts and fake Teams, Meet, or Zoom sites that simulate a meeting failure and instruct victims to paste ClickFix terminal commands. The stager teamsSDK.bin downloads fake conferencing applications that solicit credentials, collect host reconnaissance, and launch follow-on Mach-O components for browser extension, network, and process profiling. Persistence is established through a LaunchAgent masquerading as an Antivirus Service or OneDrive component, while the macrasv2 stealer targets browser data, cookies, stored credentials, macOS Keychain entries, and other files for Telegram-based exfiltration.