Lazarus Group Uses Fake Meeting Hack

North Korea’s Lazarus Group has launched a new macOS malware campaign called Mach-O Man that uses fake online meeting invitations to trick crypto and fintech executives into executing malicious commands on their own devices, according to blockchain security firm CertiK.

North Korea’s Lazarus Group is running a new campaign dubbed Mach-O Man that targets executives at crypto, fintech, and other high-value firms by disguising malware delivery as a routine technical fix during a fake business meeting, according to CertiK senior blockchain security researcher Natalie Newson. The campaign was disclosed on April 22 and represents one of the group’s most operationally sophisticated social engineering methods to date.

Lazarus Group Crypto Hack Hides Behind Routine Business Communications

The attack chain begins with an urgent-looking meeting invitation sent over Telegram, impersonating a Zoom, Microsoft Teams, or Google Meet call. The link leads to a convincing but fake website that tells the victim to paste a single command into their Mac terminal to resolve an apparent connection issue, a technique CertiK identifies as ClickFix. Once executed, the command installs a modular malware kit built from native Mach-O binaries tailored for Apple environments, which profiles the host, establishes persistence, and exfiltrates credentials and browser data through a Telegram-based command-and-control channel. Critically, the toolkit auto-deletes after completing its task, making detection and forensic analysis extremely difficult. “These fake verification steps guide victims through keyboard shortcuts that run a harmful command,” CertiK’s Newson told CoinDesk. “The page looks real, the instructions seem normal, and the victim initiates the action themselves, which is why traditional security controls often miss it.”

Why This Attack Is Harder to Catch Than Standard Phishing

Unlike traditional phishing attacks that rely on urgency cues or suspicious sender addresses, the Mach-O Man campaign is designed to look entirely routine at the moment of delivery. Executives in crypto and fintech routinely receive cold outreach from investors, researchers, and business partners, making the fake meeting invitation format a credible lure in a way that generalized phishing often is not. CertiK’s analysis notes that the Mach-O Man framework is tied to Lazarus’ Famous Chollima unit and distributed through compromised Telegram accounts specifically targeting high-value organizations in the digital asset space. Most victims will not realize they have been compromised until well after the malware has erased itself. “They likely don’t know it yet,” Newson said. “If they do, they probably can’t identify which variant affected them.”

The Scale of the Lazarus Threat to Crypto in 2026

CertiK has linked the Mach-O Man campaign to a broader Lazarus offensive that has siphoned more than $500 million from DeFi platforms Drift and KelpDAO in under two weeks, adding to a cumulative theft total estimated at $6.7 billion since 2017. The United Nations has previously estimated that North Korean hackers have stolen several billion dollars in digital assets to fund the country’s weapons programs. “What makes Lazarus especially dangerous right now is their activity level,” Newson said. “This isn’t random hacking. It’s a state-directed financial operation running at a scale and speed typical of institutions.” CertiK is advising crypto professionals to independently verify all meeting requests through a separate channel before clicking any link or downloading any attachment from an unsolicited invitation.

CertiK has shared indicators of compromise tied to the Mach-O Man campaign with the broader security community to support detection and defense efforts across the industry.