New Lazarus APT Campaign: “Mach-O Man” macOS Malware Kit Hits Businesses
Contents
Editor’s note: The research is authored by Mauro Eldritch, offensive security expert and a founder of BCA LTD, a company dedicated to threat intelligence and hunting. You can find Mauro on X.
The recent wave of ClickFix attacks has introduced several new ways to compromise users, establishing itself as a technique that is likely here to stay. We have observed Lazarus Group using this method to distribute a range of malware, from well-known families to more unusual variants such as PyLangGhostRAT, a Python-based vibe-ported of the original Go version, along with other oddities.
In this article, we analyze the next stage of this campaign: a newly identified macOS malware kit that is currently being actively distributed.
Executive Summary
- What’s happening: Lazarus Group is running an active campaign using fake meetings to gain access to corporate systems, credentials, and sensitive data.
- Who is at risk: Fintech, crypto, and high-value environments where macOS is widely …
The recent wave of ClickFix attacks has introduced several new ways to compromise users, establishing itself as a technique that is likely here to stay. We have observed Lazarus Group using this method to distribute a range of malware, from well-known families to more unusual variants such as PyLangGhostRAT, a Python-based vibe-ported of the original Go version, along with other oddities.
In this article, we analyze the next stage of this campaign: a newly identified macOS malware kit that is currently being actively distributed.
Executive Summary
- What’s happening: Lazarus Group is running an active campaign using fake meetings to gain access to corporate systems, credentials, and sensitive data.
- Who is at risk: Fintech, crypto, and high-value environments where macOS is widely …
IoC
https://app.any.run/tasks/94b9bc1f-86ff-4069-8222-1cb511d78ad9
https://otx.alienvault.com/pulse/69d9c62d24ae9bc8d5653f56
http://http://172.86.113.102/Onedrive
https://app.any.run/tasks/937afde2-5e3c-4eb0-a7d1-6124f0f3ed18
http://172.86.113.102
http://livemicrosft.com
http://https://update-teams.live/teams
http://update-teams.live
https://app.any.run/tasks/7f771a62-fcda-4a33-8e99-ab068fae8500
https://app.any.run/tasks/777b23e8-25ea-45b5-a998-d2e1c400c9d1
http://ttp://172.86.113.102/Onedrive
http://http://172.86.113.102/localencode
https://open.substack.com/pub/quetzalteam/p/north-koreas-safari-hunting-for-rats
http://144.172.114.220
http://livemicrosft.com/meet/89035563931?p=9jXK14VFM8fObdKxfkake8tD7rPhzs.1
http://ttps://update-teams.live/teams
http://ttp://172.86.113.102/localencode
172.86.113.102
144.172.114.220
0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90
871d8f92b008a75607c9f1feb4922b9a02ac7bd2ed61b71ca752a5bed5448bf3
89616a503ffee8fc70f13c82c4a5e4fa4efafa61410971f4327ed38328af2938
dfee6ea9cafc674b93a8460b9e6beea7f0eb0c28e28d1190309347fd1514dbb6
eb3eae776d175f7fb2fb9986c89154102ba8eabfde10a155af4dfb18f28be1b5
cc31b3dc8aeed0af9dd24b7e739f183527d55d5b5ecd3d93ba45dd4aaa8ba260
5476bbf8ddb2fb056295f09ebe05e20a7d1cf29ea279cd4613c87544013e080fef35c97b3511ef9c0f12e505a1d805628ba10483dc9290508f94d153ee94d5c4
a9562ab6bce06e92d4e428088eacc1e990e67ceae6f6940047360261b5599614
24af069b8899893cfc7347a4e5b46d717d77994a4b140d58de0be029dba686c9
a73ce18952b40fd621789e43c56b2af08d1497ce3560b2481fa973d8265ce491
85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c
4b08a9e221a20b8024cf778d113732b3e12d363250231e78bae13b1f1dc1495b
https://otx.alienvault.com/pulse/69d9c62d24ae9bc8d5653f56
http://http://172.86.113.102/Onedrive
https://app.any.run/tasks/937afde2-5e3c-4eb0-a7d1-6124f0f3ed18
http://172.86.113.102
http://livemicrosft.com
http://https://update-teams.live/teams
http://update-teams.live
https://app.any.run/tasks/7f771a62-fcda-4a33-8e99-ab068fae8500
https://app.any.run/tasks/777b23e8-25ea-45b5-a998-d2e1c400c9d1
http://ttp://172.86.113.102/Onedrive
http://http://172.86.113.102/localencode
https://open.substack.com/pub/quetzalteam/p/north-koreas-safari-hunting-for-rats
http://144.172.114.220
http://livemicrosft.com/meet/89035563931?p=9jXK14VFM8fObdKxfkake8tD7rPhzs.1
http://ttps://update-teams.live/teams
http://ttp://172.86.113.102/localencode
172.86.113.102
144.172.114.220
0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90
871d8f92b008a75607c9f1feb4922b9a02ac7bd2ed61b71ca752a5bed5448bf3
89616a503ffee8fc70f13c82c4a5e4fa4efafa61410971f4327ed38328af2938
dfee6ea9cafc674b93a8460b9e6beea7f0eb0c28e28d1190309347fd1514dbb6
eb3eae776d175f7fb2fb9986c89154102ba8eabfde10a155af4dfb18f28be1b5
cc31b3dc8aeed0af9dd24b7e739f183527d55d5b5ecd3d93ba45dd4aaa8ba260
5476bbf8ddb2fb056295f09ebe05e20a7d1cf29ea279cd4613c87544013e080fef35c97b3511ef9c0f12e505a1d805628ba10483dc9290508f94d153ee94d5c4
a9562ab6bce06e92d4e428088eacc1e990e67ceae6f6940047360261b5599614
24af069b8899893cfc7347a4e5b46d717d77994a4b140d58de0be029dba686c9
a73ce18952b40fd621789e43c56b2af08d1497ce3560b2481fa973d8265ce491
85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c
4b08a9e221a20b8024cf778d113732b3e12d363250231e78bae13b1f1dc1495b