Mach-O Man Malware: What CISOs Need to Know
Lazarus Group is conducting an active campaign targeting businesses through ClickFix attacks, distributing a newly identified macOS malware kit called "Mach-O Man". The attack begins with fake meeting invitations via Telegram, redirecting victims to fraudulent collaboration platforms impersonating Zoom, Microsoft Teams, or Google Meet. Victims are tricked into executing terminal commands that install the malware. The kit consists of Go-based Mach-O binaries including a stager, profiler, persistence mechanism, and stealer. The malware collects credentials, browser data, and macOS Keychain entries, exfiltrating data through Telegram. Primary targets include fintech, crypto, and high-value environments where macOS is prevalent. The campaign leverages social engineering and native macOS binaries to evade traditional EDR detection, ultimately enabling account takeover, unauthorized infrastructure access, and financial loss.
AI Analysis
Technical Summary
Lazarus Group is conducting an active campaign distributing the Mach-O Man malware kit targeting macOS systems primarily in fintech, crypto, and other high-value environments. The infection vector involves social engineering via fake Telegram meeting invitations redirecting victims to fake collaboration platforms. Victims execute terminal commands that install a suite of Go-based Mach-O binaries comprising a stager, profiler, persistence mechanism, and stealer. The malware collects sensitive data including credentials, browser information, and Keychain entries, and exfiltrates it over Telegram. The campaign uses native macOS binaries and social engineering to bypass traditional EDR detection, facilitating account takeover and unauthorized access. Indicators include malicious domains, IPs, URLs, and file hashes associated with the campaign. There is no CVE or patch information available, and no known exploits in the wild have been confirmed.
Potential Impact
This malware campaign enables attackers to steal sensitive credentials and data from macOS systems, potentially leading to account takeover, unauthorized access to infrastructure, and financial loss. The use of social engineering and native binaries allows the malware to evade detection by common security tools, increasing the risk of successful compromise in targeted environments. Primary targets are businesses in fintech, cryptocurrency, and other sectors where macOS usage is prevalent, making these organizations particularly vulnerable.
Mitigation Recommendations
No official patch or remediation guidance is currently available for this malware. Organizations should be aware of the social engineering tactics used, such as fake meeting invitations via Telegram and fraudulent collaboration platforms, and educate users to avoid executing untrusted terminal commands. Monitoring for indicators of compromise such as the listed malicious domains, IP addresses, URLs, and file hashes can aid detection. Since the malware uses native macOS binaries to evade traditional EDR, consider employing behavioral detection tools and network monitoring for unusual Telegram traffic. Patch status is not yet confirmed — check vendor advisories and threat intelligence sources regularly for updates.
Indicators of Compromise
- domain: livemicrosft.com
- hash: 0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90
- hash: 24af069b8899893cfc7347a4e5b46d717d77994a4b140d58de0be029dba686c9
- hash: 4b08a9e221a20b8024cf778d113732b3e12d363250231e78bae13b1f1dc1495b
- hash: 85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c
- hash: 871d8f92b008a75607c9f1feb4922b9a02ac7bd2ed61b71ca752a5bed5448bf3
- hash: 89616a503ffee8fc70f13c82c4a5e4fa4efafa61410971f4327ed38328af2938
- hash: a9562ab6bce06e92d4e428088eacc1e990e67ceae6f6940047360261b5599614
- hash: cc31b3dc8aeed0af9dd24b7e739f183527d55d5b5ecd3d93ba45dd4aaa8ba260
- hash: dfee6ea9cafc674b93a8460b9e6beea7f0eb0c28e28d1190309347fd1514dbb6
- hash: eb3eae776d175f7fb2fb9986c89154102ba8eabfde10a155af4dfb18f28be1b5
- hash: a73ce18952b40fd621789e43c56b2af08d1497ce3560b2481fa973d8265ce491
- url: http://172.86.113.102/localencode
- url: http://livemicrosft.com/meet/89035563931?p=9jXK14VFM8fObdKxfkake8tD7rPhzs.1
- url: http://update-teams.live/teams
- domain: update-teams.live
- ip: 172.86.113.102
Mach-O Man Malware: What CISOs Need to Know
Description
Lazarus Group is conducting an active campaign targeting businesses through ClickFix attacks, distributing a newly identified macOS malware kit called "Mach-O Man". The attack begins with fake meeting invitations via Telegram, redirecting victims to fraudulent collaboration platforms impersonating Zoom, Microsoft Teams, or Google Meet. Victims are tricked into executing terminal commands that install the malware. The kit consists of Go-based Mach-O binaries including a stager, profiler, persistence mechanism, and stealer. The malware collects credentials, browser data, and macOS Keychain entries, exfiltrating data through Telegram. Primary targets include fintech, crypto, and high-value environments where macOS is prevalent. The campaign leverages social engineering and native macOS binaries to evade traditional EDR detection, ultimately enabling account takeover, unauthorized infrastructure access, and financial loss.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Lazarus Group is conducting an active campaign distributing the Mach-O Man malware kit targeting macOS systems primarily in fintech, crypto, and other high-value environments. The infection vector involves social engineering via fake Telegram meeting invitations redirecting victims to fake collaboration platforms. Victims execute terminal commands that install a suite of Go-based Mach-O binaries comprising a stager, profiler, persistence mechanism, and stealer. The malware collects sensitive data including credentials, browser information, and Keychain entries, and exfiltrates it over Telegram. The campaign uses native macOS binaries and social engineering to bypass traditional EDR detection, facilitating account takeover and unauthorized access. Indicators include malicious domains, IPs, URLs, and file hashes associated with the campaign. There is no CVE or patch information available, and no known exploits in the wild have been confirmed.
Potential Impact
This malware campaign enables attackers to steal sensitive credentials and data from macOS systems, potentially leading to account takeover, unauthorized access to infrastructure, and financial loss. The use of social engineering and native binaries allows the malware to evade detection by common security tools, increasing the risk of successful compromise in targeted environments. Primary targets are businesses in fintech, cryptocurrency, and other sectors where macOS usage is prevalent, making these organizations particularly vulnerable.
Mitigation Recommendations
No official patch or remediation guidance is currently available for this malware. Organizations should be aware of the social engineering tactics used, such as fake meeting invitations via Telegram and fraudulent collaboration platforms, and educate users to avoid executing untrusted terminal commands. Monitoring for indicators of compromise such as the listed malicious domains, IP addresses, URLs, and file hashes can aid detection. Since the malware uses native macOS binaries to evade traditional EDR, consider employing behavioral detection tools and network monitoring for unusual Telegram traffic. Patch status is not yet confirmed — check vendor advisories and threat intelligence sources regularly for updates.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/"]
- Adversary
- Lazarus Group
- Pulse Id
- 69e82714e5cf2d1fb9fe1b0a
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainlivemicrosft.com | — | |
domainupdate-teams.live | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90 | — | |
hash24af069b8899893cfc7347a4e5b46d717d77994a4b140d58de0be029dba686c9 | — | |
hash4b08a9e221a20b8024cf778d113732b3e12d363250231e78bae13b1f1dc1495b | — | |
hash85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c | — | |
hash871d8f92b008a75607c9f1feb4922b9a02ac7bd2ed61b71ca752a5bed5448bf3 | — | |
hash89616a503ffee8fc70f13c82c4a5e4fa4efafa61410971f4327ed38328af2938 | — | |
hasha9562ab6bce06e92d4e428088eacc1e990e67ceae6f6940047360261b5599614 | — | |
hashcc31b3dc8aeed0af9dd24b7e739f183527d55d5b5ecd3d93ba45dd4aaa8ba260 | — | |
hashdfee6ea9cafc674b93a8460b9e6beea7f0eb0c28e28d1190309347fd1514dbb6 | — | |
hasheb3eae776d175f7fb2fb9986c89154102ba8eabfde10a155af4dfb18f28be1b5 | — | |
hasha73ce18952b40fd621789e43c56b2af08d1497ce3560b2481fa973d8265ce491 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://172.86.113.102/localencode | — | |
urlhttp://livemicrosft.com/meet/89035563931?p=9jXK14VFM8fObdKxfkake8tD7rPhzs.1 | — | |
urlhttp://update-teams.live/teams | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip172.86.113.102 | — |
Threat ID: 69e88ad519fe3cd2cd81f509
Added to database: 4/22/2026, 8:46:13 AM
Last enriched: 4/22/2026, 9:02:21 AM
Last updated: 4/23/2026, 1:06:17 AM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.