Mach-O-Man Malware Targets Crypto and FinTech
Unfortunately, scams aren’t the only thing users have to watch for in the cryptocurrency space, as malware and other malicious technology are also a concern. Recently, an infamous North Korean hacker group launched a new malicious malware, which has been dubbed Mach-O-Man.
Mach-O-Man is concerning because it specifically targets MacOS systems, which tend to be more resilient to malware attacks. Read on to learn more about Mach-O-Man and how to protect yourself from this malicious software.
What is Mach-O-Man?
Mach-O-Man is malware that has been designed to attack MacOS operating systems. It is currently being distributed via social engineering and whale phishing and targets high-level executives at crypto firms.
One of the reasons this malware is so concerning is that macOS users often become complacent due to the fact that their devices are more resistant to malicious software. Once installed, it only takes moments for the software to infiltrate the system and install itself to begin running on startup. It then collects sensitive data and sends it to a bot for sorting.
Once the data is with the bot, it is filtered to only leave critical data such as wallet addresses, seed phrases, and multi-sig approvals. This means it can give hackers an insane level of access just because of one malicious click.
How Does Mach-O-Man Work?
Although there are several steps to this malware, they all execute quickly, meaning if you make a single mistake, you could find all your security information exposed in just a few hours.
How it Starts:
The Malware is a command which must be copied and pasted into a browser. How the scammers convince the victims to do so varies.
Some reports indicate that high-level executives at cryptocurrency and FinTech companies are contacted and invited to a software demonstration. It is during this demonstration they convince the victim to copy and paste into the search bar of their browser.
Others report that they receive a Telegram message directing them to join an urgent Zoom or Google Meet. It is unclear if spoofing is used to make the message, or if only compromised accounts are used, however the messages appear to come from someone the victim knows on a professional level. When they click the link to join the meeting, they are directed to a fake support page which tells them to “update” their application by copying and pasting a command into their search bar.
If this weren’t enough, the malicious hackers also utilized SEO to create an application download page which shows up at the top of google search results. The website advertises Claude Code, which can be freely downloaded to the User’s computer. There are instructions which start with the copy and pasting of a command.
No matter where or how the command is found, once the command is copied and pasted, the malware is immediately executed.
What Happens Next:
A Go-complied stager is downloaded to the victim’s device, usually teamsSDK.bin. This stager is used to download a fake macOS application bubble which will mimic the appearance of legitimate software.
The scariest part is, the malware is so well built and has an ad-hoc signature to ensure your device won’t flag it as an untrusted application.
Once downloaded, the application begins to collect user data while installing a second application. This second application will appear in OneDrive labeled as “Antivirus Service.” This second application is programmed to relaunch with login, making the malware incredibly persistent.
The Con:
All of the data is collected and handed off to a tertiary payload, which collects browser cookies, passwords, and all sorts of sensitive data. This data is placed in a file and given to a bot while cleanup scripts run to hide evidence of the device being compromised.
As you can imagine, this is incredibly serious, especially for large crypto firms where one compromised password may lead to massive network access, allowing the hackers access to funds, user passwords, and more.
Who is Behind the Mach-O-Man Attack?
The Mach-O-Man attack is currently being perpetrated by Lazarus, a infamous North Korean hacking group which has had numerous successful hacks in recent months. One of which was the April 2026 KelpDaoAttack. They were also the ones behind the Bybit hack in February 2025.
This toolkit is not only being used by the hacker group, but it has been disseminated widely and can be utilized by any malicious hacker.
Related: All the Hacks Attributed to Lazarus
How to Protect Yourself from Mach-O-Man
Unfortunately, there is only one way to protect yourself from Mach-O-Man and that is by never copying and pasting any command into the search bar. Of course, this is easier said than done, especially for those in the tech industry.
Because this malware is perpetuated by social engineering, it is far more dangerous than almost any other malware, because the instructions almost always come from someone the victim trusts. Our only advice for those in the tech environment is to furthermore copy and paste all commands into a sandbox environment before utilizing them on an important device.
We hope that companies will take the time to block the website from network computers, which will help curb the attacks. Additionally, companies should notify their employees of this new malware and the dangers it poses using a single copy-and-paste function.
While we suspect that macOS is already aware and working to harden its devices against these types of attacks, software development takes time, and there is no immediate solution to protect against this malware other than ensuring you don’t download it in the first place.
Overall, we have long been skeptical of the level of scams on Telegram, and this new malware puts the icing on the cake; we will likely be deleting our app. Just remember that Telegram isn’t the only way this scam is pushed, and you should be wary of anyone asking you to copy and paste anything into your search bar. When in doubt, check every link and function in a sandbox environment before using it in a live one.
