“Say My Name”: How MioLab is building MacOS Stealer Empire
Essential information
- Published
- 30/04/2026 14:20
- Modified
- 04/05/2026 11:29
- Tags
- 2026-04-30 bulletproof hosting clickfix cryptocurrency theft maas platform macos stealer miolab
- Related entities
- 10 observables, 1 intrusion sets (apt), 20 techniques (mitre), 2 malware, 64 others
Description
MioLab, also known as Nova, is a sophisticated Malware-as-a-Service platform targeting macOS environments, heavily advertised on Russian-speaking underground forums. The platform features extensive data exfiltration capabilities, including browser credential theft, cryptocurrency wallet targeting (supporting over 200 browser extensions and 50+ desktop wallets), and a premium module specifically designed to compromise Ledger and Trezor hardware wallets by intercepting 24-word BIP39 recovery seed phrases. The lightweight C-based payload supports both Intel and Apple Silicon architectures across macOS versions from Sierra to Tahoe. MioLab employs sophisticated social engineering through customizable DMG builders with live preview features, fake system prompts, and ClickFix integration. Recent updates demonstrate rapid development, including Safari cookie grabbing, automated Apple Notes decryption, and universal hardware wallet modules. The operation utilizes bulletproof hosting services and shares infrastruct...