macrasv2
macrasv2 is a macOS stealer payload used in the Lazarus Group’s North Korea-linked “Mach-O Man” malware kit, including activity attributed to the group’s Chollima/Famous Chollima cluster. It has been observed in ClickFix-style intrusion chains targeting high-value users such as fintech executives, cryptocurrency and Web3 professionals, developers, and other enterprise users, primarily on macOS systems. The infection flow described in the reporting begins with Telegram-delivered fake business meeting invitations, often impersonating Zoom, Microsoft Teams, or Google Meet, that direct victims to counterfeit meeting pages and trick them into pasting a malicious command into Terminal. Subsequent stages deploy native Mach-O binaries, perform host profiling, establish persistence via a LaunchAgent, and then load macrasv2 as the final stealer stage.
macrasv2 is described as harvesting browser-stored credentials, session cookies, SQLite-stored browser data, browser extension data, macOS Keychain entries, and other files of interest. Reporting also notes theft of data that could enable follow-on compromise of SaaS platforms and corporate systems. The malware packages stolen information into an archive named user_ext.zip and exfiltrates the collected data via the Telegram Bot API. In some reporting, the malware chain also runs a self-deletion script after exfiltration.
Associated artifacts and surrounding components mentioned in the same intrusion chain include the stager teamsSDK.bin, profiler modules such as D1YrHRTg.bin, and the persistence component minst2.bin, which creates a folder named “Antivirus Service,” drops a binary disguised as OneDrive, and installs the LaunchAgent com.onedrive.launcher.plist for execution at login. Researchers also reported operational weaknesses in the broader campaign infrastructure, including exposed Telegram bot tokens and buggy logic in some modules, but the high-confidence behavior directly attributed to macrasv2 is credential, cookie, browser, Keychain, and file theft with Telegram-based exfiltration on macOS.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
...before the eventual injection of the macrasv2 stealer. Aside from stealing browser-stored credentials and cookies, such a stealer also exfiltrates Keychain secrets and other files that would allow software-as-a-service platform breaches.
A payload called macrasv2 is downloaded next, acting as stealer targeting browser extension data, stored browser credentials and cookies, macOS Keychain entries, and other files of interest, and exfiltrating them via Telegram
Techniques & procedures
15 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Attacks commenced with the delivery of urgent meeting invites purportedly from business contacts or colleagues that include links diverting to fake Microsoft Teams, Zoom, or Google Meet websites
According to Eldritch, an attacker contacts a business leader through Telegram, often by using a compromised account belonging to a colleague or contact known to the target. The attacker sends the target a fake Zoom, Microsoft Teams, or Google Meet invitation to set up a conversation under the pretense of a business opportunity.
Execution
2 techniques
Execution
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
1 technique
Stealth
Credential Access
2 techniques
Credential Access
Discovery
1 technique
Discovery
Collection
2 techniques
Collection
Command and Control
2 techniques
Command and Control
Exfiltration
2 techniques
Exfiltration
Researchers note that parts of the kit are poorly written, with some profilers entering infinite loops that continuously POST the same data to command-and-control servers... The final stealer stage... aggregates high-value data from the system before exfiltration.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A stealer payload injected during the attack chain that steals browser credentials and cookies, and exfiltrates Keychain secrets and other files.
A credential and data theft component of the Mach-O Man intrusion chain that steals browser credentials, cookies, SQLite data, and macOS Keychain entries, then archives and exfiltrates the data through Telegram.
A macOS stealer used in a Lazarus ClickFix campaign. It collects browser extension data, stored browser credentials and cookies, macOS Keychain entries, and other system-stored secrets, stages them in a temporary directory, and exfiltrates them via Telegram before self-deleting.
A stealer payload within the Mach-O Man infection chain that targets browser extension data, stored credentials, cookies, macOS Keychain entries, and other files of interest, then exfiltrates the data via Telegram.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.