PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

North Korean Hackers Suspected of Creating Mac-Based Malware

'This is the first case where Kaspersky Lab researchers have observed the notorious Lazarus group distributing malware that targets macOS users,' the security firm says.

Michael Kan
 & Michael Kan Principal Reporter

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

Mac users beware. North Korean hackers appear to be developing malware that can infect your computer.

Security firm Kaspersky Lab uncovered the macOS-based malware while investigating a hack at an unnamed cryptocurrency exchange in Asia. The breach was sourced back to an email that convinced a company employee to download a third-party app for trading virtual currencies.

Unfortunately, the app was a Trojan in disguise. According to Kaspersky, it contained a malware strain known as Fallchill, which has been linked to a notorious North Korean hacking group called Lazarus. Once infected, Fallchill can secretly take over your computer to steal data or install other malicious code.

Celas Trading App

The app came from a US-based company called Celas, which specializes in secure "blockchain solutions" for the enterprise market. When you install it, the program doesn't do anything harmful. However, Kaspersky Lab noticed that it can update itself and deliver the Fallchill malware to your computer.

"(The updater) acts like a reconnaissance module: first, it collects basic information about the computer it has been installed on, then it sends this information back to the command and control server," Kaspersky Lab said. "If the attackers decide that the computer is worth attacking, the malicious code comes back in the form of a software update."

Celas Product Downloads

Recommended by Our Editors

Google Will Soon Spot Fake Calls on Supported Android Phones
Google Will Soon Spot Fake Calls on Supported Android Phones
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts

The Trojan that hit the cryptocurrency exchange was installed on a PC. But during its investigation, Kaspersky noticed that the hackers had developed a Windows and Mac version of the app, both of which contained the hidden auto-updater.

"This is the first case where Kaspersky Lab researchers have observed the notorious Lazarus group distributing malware that targets macOS users, and it represents a wakeup call for everyone who uses this OS for cryptocurrency-related activity," the security firm said.

As for Celas, Kaspersky suspects it's a fake company created by the North Koreans. The person who registered the Celas website domain paid for it using Bitcoin, and used a ramen shop in Chicago as its physical address. The Celas site is currently down, and it did not immediately respond to a request for comment.

In recent months, several hacking attempts on cryptocurrency exchanges and banks have been blamed on the Lazarus group. One tactic involved trying to trick Bitcoin experts into installing malware through phishing emails that pretend to offer job positions. To protect yourself, don't download apps from little-known vendors.

"Do not automatically trust the code running on your systems," Kaspersky Lab said. "Neither good looking website, nor solid company profile nor the digital certificates guarantee the absence of backdoors. Trust has to be earned and proven."

About Our Expert

Michael Kan

Michael Kan

Principal Reporter

My Experience

I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.

Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service.

I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.

I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I'm always eager to learn more, so please jump in the comments with feedback and send me tips.

The Best Tech I've Had:

  • My first video game console: a Nintendo Famicom
  • I loved my Sega Saturn despite PlayStation's popularity.
  • The iPod Video I received as a gift in college
  • Xbox 360 FTW
  • The Galaxy Nexus was the first smartphone I was proud to own.
  • The PC desktop I built in 2013, which still works to this day.

Read the latest from Michael Kan

Read full bio