Editor’s note: The research is authored by Mauro Eldritch, offensive security expert and a founder of BCA LTD, a company dedicated to threat intelligence and hunting. You can find Mauro on X.
The recent wave of ClickFix attacks has introduced several new ways to compromise users, establishing itself as a technique that is likely here to stay. We have observed Lazarus Group using this method to distribute a range of malware, from well-known families to more unusual variants such as PyLangGhostRAT, a Python-based vibe-ported of the original Go version, along with other oddities.
In this article, we analyze the next stage of this campaign: a newly identified macOS malware kit that is currently being actively distributed.
Executive Summary
· What’s happening: Lazarus Group is running an active campaign using fake meetings to gain access to corporate systems, credentials, and sensitive data.
· Who is at risk: Fintech, crypto, and high-value environments where macOS is widely used by developers, executives, and decision-makers.
· How access is gained: Users execute commands themselves, allowing attackers to bypass traditional controls and operate without immediate detection.
· What attackers are after: Credentials, browser sessions, and macOS Keychain data that provide direct access to infrastructure and financial assets.
· Why this is hard to detect: The attack relies on social engineering and native macOS binaries, reducing visibility for traditional EDR tools.
· How data is exfiltrated: Telegram is used as a trusted channel to move sensitive data outside the organization.
· What this leads to: Account takeover, unauthorized infrastructure access, financial loss, and exposure of critical data.
· What this means for CISOs: A single compromised macOS device can result in full access to internal systems, production environments, or crypto assets.
· How SOCs should respond: Identify credential exposure early by introducing ANY.RUN’s cross-platform analysis capabilities during triage that offers a 36% higher detection rate.
New Lazarus ClickFix macOS Campaign: Why Companies Are at Risk
Lazarus Group is actively running a campaign that turns routine business communication into a direct path to credential theft and data loss.
The attack targets business leaders through Telegram, often using compromised accounts of colleagues or contacts. Victims receive what appears to be a legitimate meeting invitation and are redirected to a fake collaboration platform that mimics Zoom, Microsoft Teams, or Google Meet. The scenario is familiar and urgent, which lowers suspicion and increases the likelihood of interaction.
Messages sent by Lazarus operatives. Credit: Bitso Quetzal Team
Instead of exploiting a technical vulnerability, the attackers rely on a simple instruction. The user is prompted to “fix” a connection issue by copying and executing a command. This step shifts control to the attacker without triggering many traditional security controls, because the action is performed by the user themselves.
From that moment, the operation is focused on extracting business value as quickly as possible. The attacker collects credentials, browser sessions, and system-stored secrets, including macOS Keychain data. These assets provide immediate access to corporate systems, SaaS platforms, and financial resources.
Telegram is used again as an exfiltration channel, allowing stolen data to be transferred through a legitimate service that blends into normal traffic.
By the time the activity is recognized as malicious, credentials may already be compromised and sensitive data already exfiltrated. At that point, the organization is dealing with:
· Unauthorized access to business systems and accounts
· Financial loss through fraudulent transactions or misuse of access
· Exposure of sensitive data leading to regulatory and reputational impact
At the core of this operation is a newly identified macOS malware kit, “Mach-O Man”, discovered by the Quetzal Team. Built as a set of Go-based Mach-O binaries, it reflects a shift toward native macOS threats. The following sections break down how this kit operates across each stage of the attack chain.
Technical Analysis of the Mach-O Man Kit
The Stager
As described earlier, in this ClickFix campaign, the victim is invited to a meeting via Telegram, typically by a compromised contact sharing a link.
The full malware kit with all its components and variants
When the user visits it, they are taken to a site impersonating a legitimate meeting platform such as Zoom, Meet, or Teams. The page then displays a fake error message claiming that, to resolve the issue, the user must copy and paste a command into their terminal.
Thanks to ANY.RUN’s Interactive Sandbox, we can safely execute this command and observe the malicious behavior inside a secure macOS VM, without risk to our systems.
See live sandbox analysis of fake Mach-O Man kit apps
Fake Mach-O Man Kit apps shown inside ANY.RUN’s sandbox
Trusted by 15,000 organizations worldwide, including 74 Fortune 100 companies, ANY.RUN accelerates triage & response by enabling SOC teams to analyze URLs and files within a private, real-time virtual environment, reproducing the full attack flow across Windows, macOS, Linux, and Android.
The result is faster, more consistent decisions across the SOC, with earlier identification of threats, reduced response time, and lower risk of incidents escalating into financial and operational impact.
Close blind spots and reduce breach risks in your company. Integrate ANY.RUN’s sandbox for early threat detection.
Pasting and running the command in the terminal leads to the installation of malware. In this case, it executes teamsSDK.bin, the stager and initial component of the Mach-O Man kit.
When executed in our laboratory, we observed an interesting behavior: when run without arguments, the binary displays a usage message indicating how to activate it and revealing support for impersonating Google, Zoom, Teams, and “System”.
Fun fact: if you try to choose Google, it politely states that it is “not yet implemented”. A surprisingly polished touch.
Stager teamsSDK.bin usage
When invoked correctly, it downloads a fake macOS Application impersonating one of the previously mentioned platforms, with “System” referring to generic macOS system prompts presented to the user. To ensure execution, the malware uses macOS’ codesign utility to apply an ad-hoc signature to the application bundle, making it appear properly signed to the system.
All applications are virtually identical, differing only in minimal visual cues. They prompt the user for their password in broken English three times in a row.
Fake Teams App prompts for user credentials
The first two attempts always shake the window, indicating that the password is incorrect (even if not), while the third one disappears as if the authentication had succeeded.
Independently, at the end they all display Zoom’s logo along with a message stating that the installation was successful.
Zoom logo displayed on the fake Teams App
Running them interactively from the shell reveals errors during execution. Many interesting failures will be discussed throughout the analysis of the remaining components, suggesting that exhaustive testing was not conducted.
Most modules present faulty functions or unexpected errors
In the background, the next stage is downloaded, typically named in the format D1{??????}.bin. Some examples we were able to retrieve include D1YrHRTg.bin, D1yCPUyk.bin, and D1ozPVNG.bin. At the same time, the malware performs basic fingerprinting via sysctl queries, collecting information such as CPU details and system boot time.
Basic host fingerprinting
Let’s check the next stage.
The Profiler
This second binary, D1YrHRTg.bin (or any other variant you are able to retrieve), acts as a system profiler. It registers the host with the C2 and sends a system profile.
The first notable behavior is that, when executed without arguments, it once again displays a usage message, a rather kind gesture.
Most modules contain a usage message
This module relies on sysctl and local userland tools to build a comprehensive profile of the host, including hostname, a unique identifier, CPU type, boot time, operating system details, network configuration, running processes, and a list of browser extensions, with dedicated targeting of Brave, Vivaldi, Opera, Chrome, Firefox, and Safari.
Speed up triage & response workflows in your SOC. Validate alerts and analyze artifacts with ANY.RUN.
This information is written to a text file and sent to the C2 server.
The TXT file broadcasted to the C2 Server
As previously noted, some of these modules are faulty.
This one, in particular, exhibits a self-sabotaging behavior, occasionally entering an endless loop that repeatedly posts the system profile text file to the C2 server, exhausting system resources and making its presence quite obvious to the victim.
Repeated curl commands posting the same file
Next, a new binary called minst2.bin is retrieved from the /payload C2 endpoint, marking the beginning of the persistence stage.
The Persistence Mechanism
minst2.bin was slightly trickier to debug, as it does not come bundled with a usage helper, so I had to manually fine-tune both the number and type of arguments required. After reverse engineering how the previous stage invokes it, I found that it takes the machine UUID, a payload URL, and a filename as arguments, and proceeds to download a remote file named localencode, saving it locally as OneDrive and setting it up to run at as a startup item.
A Bash service is created for persistence
To achieve this, it creates a folder called “Antivirus Service”, where it stores this binary, and sets up a LaunchAgent, the macOS equivalent of a Windows Service, to execute it at startup. From that point on, it re-invokes the malware kit at every login.
Moving on to the final stage, this script cleans up by deleting all ZIP files and downloaded fake applications (*.app) from the temporary directory. The parent process then proceeds to download the final binary in the kit: macrasv2.
The Stealer
Obtained from the same /payload endpoint, macrasv2 is the final stealer and the main component of the chain.
See sandbox analysis of macrasv2
It stages all previously collected data, including, but not limited to, browser extension data, stored browser credentials and cookies (typically kept in SQLite databases), macOS Keychain entries, and other files of interest, consolidating them into a temporary directory. Since this is an empty laboratory, the number of staged files is relatively small.
From there, the data is archived into a file named user_ext.zip, preparing it for exfiltration.
ZIP file ready to be exfiltrated
Exfiltration is carried out through a familiar channel, Telegram. In this case, however, the operators exposed their bot token, effectively allowing third parties to interact with the bot. This not only weakens their operational security but also simplifies reporting and potential takedown efforts.
Telegram Bot/API Key is leaked
This makes it trivial to both read the bot’s messages, send messages on its behalf, and even identify its owner.
Operator identified via leaked Bot Key
Finally, the malware invokes a self-deletion script named delete_self.sh, which simply removes itself and other components using the system’s rm command.
With this, the full infection cycle is complete. Thanks to ANY.RUN’s macOS analysis capabilities, we were able to fully reconstruct it in record time. It is worth noting that this is a novel (previously unseen) malware, which would typically require significantly more time to disassemble and analyze using traditional methods.
Let’s now move on to the ATT&CK Matrix, followed by the IOCs and other interesting details.
Additional Observations
· The malware is badly written, with certain components entering infinite loops that may expose its presence due to system resource starvation.
· Operational security weaknesses were identified, such as exposed Telegram bot tokens and C2 endpoints with missing authentication.
· The use of ad-hoc code signing indicates an attempt to bypass macOS execution controls without valid developer credentials.
· Network traffic analysis shows that the malware primarily communicates over ports 8888 and 9999. Additionally, HTTP requests consistently use a User-Agent string associated with the Go programming language (e.g., Go-http-client), which aligns with other observed components of the toolset.
· The adversary’s infrastructure exposed multiple services, including WinRM, Chrome Remote Desktop, Remote Desktop Protocol (RDP), and a replica of the C2 server running on port 110.
· Reverse engineering analysis indicates that multiple components of the malware are written in Go. This is supported by the presence of Go-specific strings and referenced artifacts within the binaries, including characteristic function naming conventions, runtime structures, and the use of the standard Go HTTP client in network communications.
Defending Against Lazarus Attacks: How CISOs Can Minimize Risk
Trust-abuse phishing, exemplified by campaigns like Mach-O Man, exploits legitimate platforms to bypass conventional security measures. Attackers manipulate human psychology with urgent meeting requests or fake technical issues, tricking users into executing malicious commands or disclosing credentials.
For SOC teams, the difficulty lies in detecting these attacks early, as they often slip past signature-based defenses by leveraging trusted services and user-driven actions.
Close Detection Gaps with Stronger Cross-Platform Triage
To combat these threats, SOCs must adopt interactive sandboxing as a cornerstone of their triage process. Unlike automated solutions, ANY.RUN eliminates critical blind spots for security teams by enabling analysis of malicious files and URLs across Windows, macOS, Linux, and Android in a single interface.
ANY.RUN’s sandbox delivers fast verdicts on malicious files and URLs
Instead of juggling separate solutions for each OS, SOC teams gain a unified sandbox environment where they can manually simulate user interactions, uncover hidden attack stages, and capture behavioral IOCs, such as unusual sysctl queries in macOS or Mach-O binary execution.
For business processes, this means streamlined triage, reducing analysis time and integrating seamlessly with SIEM/SOAR for automated threat investigations.
ANY.RUN delivers full attack context (process chains, network connections, system changes), which is especially critical for companies with hybrid infrastructures (corporate Windows, macOS for developers/designers, Linux servers, and employee Android devices), where traditional sandboxes cover only part of the risk.
Reduce MTTR by 21 minutes in your SOC. Upgrade Tier 1 productivity with ANY.RUN.
When integrated into your SOC workflows, ANY.RUN’s Sandbox delivers measurable impact, enabling security teams to:
· Identify Credential Exposure Earlier: Detect threats in under 60 seconds and reduce breach probability before escalation begins
· Reduce MTTR: Achieve up to 21 minutes faster response time and 50% quicker IOC extraction
· Detect More Relevant Threats: Identify up to 58% more threats with real-time, sandbox-verified intelligence
· Minimize High-Severity Incidents: Earlier detection lowers escalation rates and limits impact on business operations
· Improve SOC Efficiency Without Hiring: Increase team performance up to 3x and reduce Tier 1 workload by 20%
For businesses, this means fewer breaches, lower financial impact per incident, and more predictable security outcomes. Organizations gain control over both risk exposure and operational costs, rather than reacting after damage occurs.
About ANY.RUN
ANY.RUN helps over 15,000 organizations and 600,000 security professionals identify and understand threats before they turn into incidents.
The solutions combine interactive sandbox analysis and real-time threat intelligence into a single workflow, allowing SOC teams to analyze files and URLs, observe full attack behavior, and make faster, more accurate decisions. Instead of relying on delayed indicators or assumptions, analysts see what the threat actually does and what risk it creates for the business.
By strengthening monitoring, triage, and response, ANY.RUN enables organizations to detect more threats earlier, reduce response time, and limit the impact of credential theft, data exposure, and account compromise.
The result is a more predictable and efficient SOC, where decisions are made faster, incidents are contained earlier, and business risk is reduced.
