Lazarus’ Mach-O Man steals macOS Keychain via fake meeting invites

North Korea’s Lazarus Group deployed a modular macOS malware kit called Mach-O Man in April 2026, researchers at Bitso’s Quetzal Team and the ANY.RUN sandbox platform reported on April 21, 2026. The kit is compiled in Go as Mach-O binaries for both Intel and Apple Silicon and runs in four stages to collect browser credentials, Keychain entries and crypto account data.

The campaign begins with social engineering. Attackers compromise or impersonate Telegram accounts used by colleagues in Web3 and crypto networks and send urgent meeting invites for Zoom, Microsoft Teams or Google Meet. The links point to fake sites such as update-teams.live and livemicrosft.com that display a simulated connection error and instruct the target to copy and paste a Terminal command to “fix” the problem. The initial stager, teamsSDK.bin, is downloaded via curl and launches a fake app bundle that is ad-hoc code signed and prompts the user for their macOS password. The prompt is designed to reject credentials twice and accept them on the third attempt.

After launch, a profiler binary collects system details including hostname, UUID, CPU and OS information, running processes and installed browser extensions across Brave, Chrome, Firefox, Safari, Opera and Vivaldi. The researchers observed a coding bug in the profiler that can create an infinite loop and produce noticeable CPU spikes. A persistence module drops a renamed file called Onedrive into a hidden folder labeled “Antivirus Service” and registers a LaunchAgent named com.onedrive.launcher.plist so the malware runs at login.

The final stage is a stealer binary identified as macrasv2. It harvests browser extension metadata, SQLite credential databases and macOS Keychain items, compresses the data into a zip archive and exfiltrates it via the Telegram Bot API. The analysis found a Telegram bot token embedded in the binary. The Quetzal Team published SHA-256 hashes for the main components and network indicators that include IP addresses 172.86.113.102 and 144.172.114.220.

Researchers reported seeing the Mach-O Man kit used by actors beyond Lazarus, indicating the tooling is shared or sold within the threat actor ecosystem. Threat intelligence firms track Lazarus under names including Famous Chollima; the group’s previous macOS tools include Applejeus and Rustbucket.

Security teams at crypto and fintech firms were advised to audit LaunchAgents directories, monitor for Onedrive processes running from unusual paths, and block outbound Telegram Bot API traffic where it is not required. Users were warned not to paste Terminal commands copied from web pages or unsolicited meeting links and to verify urgent meeting invites through a separate communication channel.