The infamous North Korean hacking group "Lazarus Group" has launched a new and innovative cyber attack campaign directly targeting executives in the crypto and FinTech sectors.
Cybersecurity researchers at "CertiK" revealed this complex operation on Wednesday, dubbing it "Mach-O Man."
🪤 How is the trap set? (ClickFix technique)
The attack begins when hackers send an 'urgent' meeting invitation to the target via Telegram. The attached link looks completely natural and legitimate for a meeting on well-known platforms like Zoom, Microsoft Teams, or Google Meet.
⚠️ The killer step:
Once the link is clicked, a fake page appears, tricking the user into thinking there's a 'connectivity issue' and asking them to copy and paste a Terminal command to fix it. Once the victim executes this command, attackers gain immediate and full access to the company's systems, SaaS platforms, and financial accounts!
💻 Precision targeting of Apple users
Natalie Newson, Senior Blockchain Security Researcher at CertiK, explained that this malware is specifically designed to target Mac system environments. This tool was developed by the 'Chollima' division of the Lazarus group, and due to its severity, other criminal groups have started using it outside of the original Lazarus operations.
🕵️♂️ Why is this breach hard to detect?
The real danger lies in the victim executing the final step themselves.
The page looks super legit and convincing.
The instructions seem like a routine technical procedure.
Standard security systems aren't designed to stop a user from executing a script they've willingly copied and pasted.
Worse yet, by the time the company discovers the breach, the malware may have deleted itself entirely to cover the tracks.
🛡️ Bottom line: Never copy and paste Terminal commands to run on your device to fix connectivity issues or join meetings, no matter how official or urgent the invitation seems.