MacOS Stealer MioLab Adds ClickFix, Wallet Theft Delivery Team

Functioning as a sophisticated macOS infostealer, MioLab (also tracked as Nova) has emerged as one of the most advanced Malware-as-a-Service (MaaS) platforms specifically designed to target Apple users.

Advertised on Russian-speaking underground forums, MioLab marks a shift in the threat landscape, proving macOS is no longer a low-risk target.

As Apple’s market share grows among software engineers, executives, and cryptocurrency investors, attackers now treat Macs as highly profitable attack surfaces.

The malware uses a user-friendly web panel and a lightweight C payload that compiles to roughly 100 KB. This lean size helps evade basic signature-based antivirus detection.

It supports Intel x86-64 and Apple Silicon ARM64 architectures, running across macOS versions from Sierra through Tahoe.

MioLab’s capabilities include browser credential theft, cryptocurrency wallet draining, password manager harvesting, and file collection. A premium add-on module targets hardware wallets like Ledger and Trezor, capable of stealing a victim’s 24-word BIP39 recovery seed phrases.

LevelBlue analysts identified MioLab as a rapidly evolving threat, noting its development pace is unusually fast for an infostealer.

Reviewing changelogs through February 2026, researchers confirmed critical upgrades, including a rebuilt hardware wallet extraction module, on-device Apple Notes decryption, a working Safari cookie grabber, and a full Team API.

This API lets criminal teams programmatically generate payloads and download stolen logs without logging into the panel.

The platform also integrates Telegram bot binding for real-time victim notifications, serving organized cybercriminal affiliates known as traffers.

Infrastructure analysis revealed that MioLab’s operators run a broader cybercrime ecosystem.

The malware’s admin panel was previously hosted on playavalon[.]org, now rotated to serve an Ethereum token airdrop phishing campaign, converting residual traffic from old indicators into fresh fraud.

Both operations trace back to FEMO IT Solutions Ltd., a bulletproof hosting provider under the Defhost brand, shielding multiple malware families from law enforcement.

ClickFix Delivery: Social Engineering Through the Terminal

One of MioLab’s most notable additions is its ClickFix infection chain — a technique that tricks victims into running malicious commands in their own macOS Terminal.

The panel includes a one-click utility where operators enter their server credentials, and the system instantly produces a Terminal payload ready for deployment through fake CAPTCHA pages or cloned developer portals.

Shortly before publication, researcher Marcelo Rivero identified a live malvertising campaign distributing MioLab through a convincing clone of the Claude Code documentation site — a legitimate command-line AI tool by Anthropic.

The campaign was precisely crafted for high-value targets — developers already comfortable with running Terminal commands.

The cloned site served entirely legitimate installation instructions to Windows visitors, passing visual inspection cleanly.

For macOS users, however, it delivered a ClickFix-style payload. The first stage relied on a Base64-masked URL that, once decoded and executed, launched a curl loader to fetch the Mach-O payload, drop it into /tmp, and run an xattr -c command to strip Apple’s Quarantine attribute and bypass Gatekeeper.

Once past Gatekeeper, the malware killed open Terminal windows and displayed a fake System Preferences password dialog through AppleScript, tricking users into entering their login credentials.

The captured password was then verified against the local directory service using the dscl utility.

Once confirmed, MioLab began collecting browser cookies, passwords, cryptocurrency wallet files, Apple Notes, Telegram session data, and documents from the user’s Desktop and Downloads folders, before compressing everything into a ZIP archive and uploading it to the attacker’s command-and-control server.

To defend against MioLab, security teams and users should enforce the following protective measures.

Users must be trained to question unexpected password prompts from recently downloaded applications.

Security teams should block or monitor sensitive system utilities — such as dscl, osascript, and system_profiler — when called by unsigned apps. Access to browser profile directories and the macOS Keychain file login.keychain-db should be strictly audited.

Known malicious domains, including socifiapp[.]com, must be blocked, and any suspicious curl POST requests to external APIs should be flagged and investigated.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.