NORTH Korea's Lazarus Group is using ClickFix attacks to target macOS users, expanding their reach to Mac-centric organisations and high-value leaders, according to Any[.]Run. The research published on April 21 describes a new nation-state campaign that distributes a macOS malware kit through a multi-stage infection chain, with ClickFix leveraged for initial access and data theft.
In the campaign, the attacker contacts a business leader via Telegram, poses as a colleague, and sends a fake Zoom, Microsoft Teams, or Google Meet invitation to lure the target into running malicious code or downloading a file.
Once the user executes the command to fix issues, the malware downloads a macOS application .bin file such as “teamsSDK[.]bin,” loads a second-stage binary, and then a system profiler that connects to attacker C2 infrastructure before a persistence mechanism re-invokes the kit at login and the stealer macrasv2 exfiltrates data through Telegram.
The analysts note macrasv2 is poorly written, with incomplete components and some security weaknesses, underscoring the importance of user caution when prompted to update software or run commands. The article, written by Alexander Culafi and published on 24 April 2026, emphasises that ClickFix only works if end users run a command or open a file.