North Korea's Lazarus Targets macOS Users via ClickFix

THREAT INTELLIGENCE DATA PRIVACY CYBERSECURITY OPERATIONS APPLICATION SECURITY NEWS North Korea's Lazarus Targets macOS Users via ClickFix Lazarus continues leveraging ClickFix for initial access and data theft, in this case, against Mac-centric organizations and their high-value leaders. Alexander Culafi,Senior News Writer,Dark Reading April 24, 2026 4 Min Read SOURCE: ALEXEY STIOP VIA ALAMY STOCK PHOTO North Korea's Lazarus Group is using ClickFix attacks to launch cyberattacks using novel macOS malware. That's according to security vendor Any.Run, which on April 21 published research concerning a new nation-state threat campaign. Authored by offensive security expert and Birmingham Cyber Arms founder Mauro Eldritch, the report covers a wave of ClickFix attacks targeting organizations, used to distribute a range of malware. This latest research focuses primarily on a newly identified macOS malware kit that is currently being leveraged in the wild. ClickFix is a social engineering technique that rose to prominence over the past year or so. A threat actor tricks the victim into visiting attacker-operated infrastructure, such as a website masquerading as a fake Zoom meeting. When the victim reaches the Web page, they are told there are technical issues that may only be resolved if they update their software. The attacker usually instructs the victim into running malicious code, either by copying and pasting a run command (on Windows) or downloading and opening a file with the code on it (typically in macOS).  Related:Tropic Trooper APT Takes Aim at Home Routers, Japanese Targets ClickFix has been a favorite tactic of North Korean threat actors lately. Entities like Lazarus Group use it for initial access, with the ultimate goal of stealing cryptocurrency or intellectual property, or to conduct espionage. In this latest campaign, Lazarus Group is targeting FinTech, cryptocurrency, and high-value leaders in organizations with a substantial reliance on macOS devices. The Complete macOS Malware Attack Chain According to Eldritch, an attacker contacts a business leader through Telegram, often by using a compromised account belonging to a colleague or contact known to the target. The attacker sends the target a fake Zoom, Microsoft Teams, or Google Meet invitation to set up a conversation under the pretense of a business opportunity. North Korean actors have also used a potential job offer as a lure. The target joins the call and is prompted to enter a command to fix connection issues. Because the command is entered by the user, many traditional security controls remain untriggered. And because users are conditioned to agree to taking actions like updating software, techniques like ClickFix might not raise as many red flags to the user as a traditional phishing email. Especially when the attacker uses a business meeting as a means of lowering the target's guard ahead of time. Then, "the operation is focused on extracting business value as quickly as possible," the blog post read. "The attacker collects credentials, browser sessions, and system-stored secrets, including macOS Keychain data." Such assets can then provide access to corporate systems, software-as-a-service (SaaS) platforms, and financial resources, Any.Run added. Related:Africa Relinquishes Cyberattack Lead to Latin America — For Now Once the user enters the command and connects to attacker infrastructure, malware is downloaded as a macOS application .bin file under an unassuming name, like "teamsSDK.bin." This application installs the second stage binary and includes additional ways of gaining the user's trust, such as a message saying software is updated.  The next binary is a system profiler that connects to attacker-hosted command-and-control (C2) infrastructure. This is then followed by a persistence mechanism that re-invokes the malware kit at every login before the primary component, a stealer named "macrasv2," is loaded.  The stealer stages previously collected data like browser extension data, stored browser credentials and cookies, macOS keychain entries, and more, and consolidates them into a temporary directory for exfiltration through Telegram. Macrasv2 then runs a self-deletion script and the infection chain is complete.  While many North Korean state-sponsored attacks are sophisticated in nature, Eldritch noted that macrasv2 is "badly written." Several components remain either unimplemented or incorrectly implemented, while some components enter "infinite loops that may expose its presence due to system resource starvation." The malware also left multiple operational security weaknesses, including exposed Telegram bot tokens and C2 endpoints with missing authentication. Related:'The Gentlemen' Rapidly Rises to Ransomware Prominence How to Avoid ClickFix Compromise While Any.Run's blog contains indicators of compromise, it must also be noted that no matter how sophisticated an attack chain may seem, ClickFix only works if the end user runs a command or downloads a file.  As such, the best way for organizations to combat ClickFix is to educate leaders and employees on how the technique works and why it's successful, and not to run suspicious commands or open files as a means to solve connectivity problems.  Aleksey Lapshin, CEO of Any.Run, tells Dark Reading that Mac users in particular should be trained out of the illusion of safety many have, based on a history of being told "Macs don't get malware." Organizations should also actively track ClickFix samples in the wild and feed the actual commands back into EDR rules and execution policies. Finally, log and restrict high-risk commands on endpoints like curl, wget, osascript, and bash; the CEO says many organizations don't monitor this at all, especially on macOS. "Attackers always look for the cheapest entry point with the highest hit rate. Breaking through the outer moat of enterprise security, such as email gateways, EDR, perimeter filtering, gets more expensive every year, so they're picking new paths," Lapshin says. "And the cheapest path right now is one where the attacker is literally the user, voluntarily executing commands on their own machine." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports The Agentic SOC: Exploring the Practitioner Mindset as AI Permeates SecOps The Total Economic Impact™ Of Google SecOps The Business Value of Google Threat Intelligence The Total Economic Impact™ Of Google SecOps AI-driven SecOps: Transforming Financial Services Security Access More Research Webinars Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap Security in the AI Age More Webinars You May Also Like THREAT INTELLIGENCE Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish by Jai Vijayan MAR 17, 2026 THREAT INTELLIGENCE Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi MAR 06, 2026 THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 Editor's Choice VULNERABILITIES & THREATS EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses byRob Wright APR 14, 2026 8 MIN READ СLOUD SECURITY CSA: CISOs Should Prepare for Post-Mythos Exploit Storm byAlexander Culafi APR 13, 2026 6 MIN READ СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection LOADING... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST More Webinars White Papers Reinventing the SOC with agentic AI Enhancing SecOps with Google Threat Intelligence Enhancing SecOps with Google Threat Intelligence Enhancing SecOps with Google Threat Intelligence Reinventing the SOC with agentic AI Explore More White Papers