Lazarus Group is a trojan targeting macOS, first discovered in 2023. Lazarus Group is a North Korean state-sponsored APT that has increasingly targeted macOS users, particularly in the cryptocurrency and financial sectors. Their macOS campaigns use trojanized cryptocurrency trading applications and fake job offers. The group is responsible for billions of dollars in cryptocurrency theft globally. CoreLock detects this threat using CoreLock detects Lazarus Group malware through YARA signatures matching known AppleJeus and HOPLIGHT variants, behavioral analysis of cryptocurrency wallet access patterns, network monitoring against known Lazarus C2 IP ranges and domains, and code signing verification flagging certificates associated with Lazarus campaigns.
Also known as: AppleJeus, Lazarus APT macOS, HOPLIGHT
Lazarus Group is a North Korean state-sponsored APT that has increasingly targeted macOS users, particularly in the cryptocurrency and financial sectors. Their macOS campaigns use trojanized cryptocurrency trading applications and fake job offers. The group is responsible for billions of dollars in cryptocurrency theft globally.
Trojanized cryptocurrency trading platforms (AppleJeus campaign)
Fake job offer documents targeting developers and finance professionals
Supply chain attacks through compromised npm and PyPI packages
LinkedIn and job board social engineering with malicious interview tasks
Installed a cryptocurrency trading app from an unfamiliar exchange
Opened a job offer or coding test document from an unknown recruiter
Unknown process making connections to known Lazarus C2 infrastructure
Encrypted data being staged in temporary directories for exfiltration
Disconnect from all networks immediately. Lazarus malware actively exfiltrates data and can pivot to other systems on the network. Consider this a high-severity incident.
Before cleaning, capture a disk image or Time Machine snapshot for forensic analysis. APT attacks may require investigation of the full scope of compromise.
Delete the fake trading platform or job offer application. Check for related files in ~/Library/Application Support, LaunchAgents, and hidden directories.
Assume all cryptocurrency wallets accessed from this Mac are compromised. Transfer funds to new wallets created on a verified clean device immediately.
Run a CoreLock deep scan and consider engaging professional incident response. State-sponsored malware may have capabilities beyond what consumer scanning detects.
Verify cryptocurrency platforms through multiple independent sources before installing
Be suspicious of unsolicited job offers requiring you to run code or install software
Use hardware wallets for all significant cryptocurrency holdings
Enable CoreLock's network monitoring to detect connections to known APT infrastructure
Real-time Detection
CoreLock detects Lazarus Group malware through YARA signatures matching known AppleJeus and HOPLIGHT variants, behavioral analysis of cryptocurrency wallet access patterns, network monitoring against known Lazarus C2 IP ranges and domains, and code signing verification flagging certificates associated with Lazarus campaigns.
Trojan — RustBucket is a macOS backdoor attributed to BlueNoroff, a sub-group of North Ko...
Stealer — Atomic Stealer (AMOS) is a sophisticated macOS information stealer sold as malwa...
Ransomware — EvilQuest (also called ThiefQuest) is a macOS ransomware that combines file encr...
Lazarus Group is a state-sponsored hacking group attributed to North Korea's Reconnaissance General Bureau. They are responsible for high-profile attacks including the 2014 Sony Pictures hack, the 2017 WannaCry ransomware, and billions of dollars in cryptocurrency theft. Their macOS malware targets crypto and finance professionals.
Lazarus Group primarily targets cryptocurrency holders and financial sector employees because stolen funds finance North Korea's weapons programs. Individual developers and traders with access to crypto wallets are high-value targets, and macOS is widely used in these industries.
Red flags include unsolicited offers via LinkedIn or email asking you to download and run a coding test, install a trading platform, or open a document with macros. Legitimate recruiters will not ask you to run executables. If in doubt, verify the company independently.
Download CoreLock to detect and remove Lazarus Group and other macOS threats. AI-powered analysis, real-time monitoring, and one-click remediation.
Download CoreLock FreeAvailable for macOS and Windows