Back to Intelligence

Lazarus & WageMole Campaigns: macOS ClickFix, Mach-O Man & Dev Supply Chain Attacks — OTX Pulse Analysis

SA
Security Arsenal Team
May 21, 2026
5 min read

Recent OTX pulses indicate a convergence of sophisticated attacks targeting macOS environments and software supply chains. The Lazarus Group is actively conducting a "ClickFix" campaign distributing the "Mach-O Man" malware kit and PyLangGhostRAT, utilizing fake meeting invitations to trick users into executing terminal commands. Concurrently, the threat actor Void Dokkaebi (WageMole) has evolved operations into a self-propagating supply chain threat, using fake job interviews to lure developers into cloning malicious repositories that infect VS Code environments with DEV#POPPER RAT and OmniStealer. Additionally, a widespread macOS ClickFix campaign is leveraging fake CAPTCHAs to deploy AppleScript-based stealers targeting crypto wallets and browser credentials. The collective objective is credential theft, financial compromise, and establishing persistence within high-value development and fintech sectors.

Threat Actor / Malware Profile

Adversaries: Lazarus Group, Void Dokkaebi (WageMole), Unknown (AppleScript Stealer actor).

Malware Families:

  • Mach-O Man / PyLangGhostRAT (Lazarus Group):
    • Distribution: ClickFix social engineering via Telegram (fake Zoom/Teams invites).
    • Payload Behavior: macOS Mach-O binaries; executes commands to steal browser data and system info.
    • C2 Communication: Exfiltrates data via Telegram channels.
    • Persistence: Likely utilizes LaunchAgents or LaunchDaemons.
  • DEV#POPPER RAT / InvisibleFerret / OmniStealer (Void Dokkaebi):
    • Distribution: Supply chain compromise (Git repository poisoning), VS Code task exploitation.
    • Payload Behavior: Worm propagation via Git history; steals credentials and session tokens.
    • Persistence: Malicious VS Code task configurations that execute on workspace load.
  • AppleScript Stealer (Unknown):
    • Distribution: Fake CAPTCHA pages (ClickFix).
    • Payload Behavior: Harvests Keychain databases, cookies from 12 browsers, 200+ extensions, and 16 crypto wallets.

IOC Analysis

The provided IOCs indicate a hybrid network and file-based threat:

  • Domains: Typosquatting and dynamic DNS domains are used for initial access and C2 (e.g., livemicrosft.com, bull-run.fun). SOC teams should block these at the DNS layer and hunt for historical connections in proxy logs.
  • File Hashes: A significant volume of SHA256, MD5, and SHA1 hashes are provided for the malware binaries. EDR solutions should be configured to block execution on match.
  • Tooling: YARA rules can be generated from the file hashes. Network detection should focus on the suspicious .fun TLDs and the livemicrosft.com typo.

Detection Engineering

Sigma Rules

YAML
title: Potential macOS ClickFix Terminal Execution
id: 6e9b03c4-1f0a-4c5b-9b2c-1a2b3c4d5e6f
description: Detects suspicious terminal commands often used in ClickFix attacks where a curl/wget command is piped to bash or executed via osascript, indicative of Mach-O Man or AppleScript stealer installation.
status: experimental
date: 2026/05/22
author: Security Arsenal
logsource:
  product: macos
  category: process_creation
detection:
  selection:
    Image|endswith:
      - '/bin/bash'
      - '/bin/sh'
      - '/bin/zsh'
      - '/usr/bin/osascript'
    CommandLine|contains:
      - 'curl '
      - 'wget '
  condition: selection
falsepositives:
  - Legitimate software installation scripts
level: high
tags:
  - attack.execution
  - attack.t1059.004
---
title: VS Code Suspicious Task Execution
id: 7a0d14e5-2g1b-5d6c-0c3d-2b3c4d5e6f7g
description: Detects execution of code via VS Code internal terminals or tasks, a vector used by Void Dokkaebi to propagate DEV#POPPER RAT and BeaverTail.
status: experimental
date: 2026/05/21
author: Security Arsenal
logsource:
  product: macos
  category: process_creation
detection:
  selection:
    ParentImage|contains: 'Visual Studio Code'
    Image|endswith:
      - '/node'
      - '/python'
      - '/bin/bash'
  condition: selection
falsepositives:
  - Developer debugging activities
level: medium
tags:
  - attack.initial_access
  - attack.t1192
---
title: macOS Credential Harvesting via AppleScript
id: 8b1e25f6-3h2c-6e7d-1d4e-3c4d5e6f7g8h
description: Detects AppleScript accessing browser cookie or credential directories, behavior associated with the AppleScript infostealer campaign.
status: experimental
date: 2026/05/21
author: Security Arsenal
logsource:
  product: macos
  category: file_access
detection:
  selection:
    Image|endswith: '/usr/bin/osascript'
    TargetFilename|contains:
      - '/Library/Application Support/Google/Chrome/'
      - '/Library/Safari/'
      - '/Library/Cookies/'
  condition: selection
falsepositives:
  - Legitimate automation scripts
level: high
tags:
  - attack.credential_access
  - attack.t1555.001

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for network connections to known malicious domains from ClickFix campaigns
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("livemicrosft.com", "bull-run.fun", "spot-wave.fun", "gen.detect.by.nscloudsandbox.tr")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, Action
| extend FullURL = strcat("https://", RemoteUrl, "/")
| order by Timestamp desc

Bash IOC Hunt Script

Bash / Shell
#!/bin/bash
# IOC Hunt for Lazarus/WageMole Indicators
# Checks for active network connections to suspicious domains

echo "Checking for active connections to known C2 domains..."

DOMAINS=("livemicrosft.com" "bull-run.fun" "spot-wave.fun")

for domain in "${DOMAINS[@]}"; do
    if nslookup "$domain" | grep -q "Address"; then
        echo "[WARNING] DNS resolution successful for malicious domain: $domain"
    fi
done

echo "Checking for common malware persistence locations..."

# Check for common VS Code exploit locations
echo "Scanning VS Code workspace storage for suspicious tasks..."
if [ -d "$HOME/.config/Code/User/workspaceStorage" ]; then
    find "$HOME/.config/Code/User/workspaceStorage" -name "*." -exec grep -l "node.*beaver" {} \; 2>/dev/null && echo "[ALERT] Potential BeaverTail payload found in VS Code config."
fi

# Check for recent suspicious downloads in common directories
echo "Scanning Downloads for recent binaries..."
find ~/Downloads -name ".sh" -o -name ".command" -mtime -2 2>/dev/null | while read file; do
    echo "[INFO] Found recent script: $file"
done


# Response Priorities

*   **Immediate:**
    *   Block all listed domains (`livemicrosft.com`, `bull-run.fun`, `spot-wave.fun`) at the proxy and firewall.
    *   Scan all endpoints for the provided SHA256 file hashes.
    *   Isolate devices showing signs of ClickFix execution (terminal commands initiated from browser).
*   **24 Hours:**
    *   Conduct credential resets for users in targeted sectors (Finance/Tech) if potential credential theft is suspected.
    *   Audit Git repositories for unauthorized history pushes or malicious VS Code tasks.
*   **1 Week:**
    *   Implement strict allow-listing for VS Code extensions and workspace trust settings.
    *   Update security awareness training to include ClickFix (fake CAPTCHA/fake meeting) tactics.
    *   Restrict execution of unsigned Mach-O binaries.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptlazarus-groupmacos-malwareclickfixsupply-chain-attackwagemole

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action