216.73.217.80

“Say My Name”: How MioLab is building MacOS Stealer Empire

· Published 30/04/2026 14:20 · Modified 04/05/2026 11:29

Export JSON

Essential information

Published
30/04/2026 14:20
Modified
04/05/2026 11:29
Tags
2026-04-30 bulletproof hosting clickfix cryptocurrency theft maas platform macos stealer miolab
Related entities
10 observables, 1 intrusion sets (apt), 20 techniques (mitre), 2 malware, 64 others

Description

, also known as Nova, is a sophisticated Malware-as-a-Service platform targeting macOS environments, heavily advertised on Russian-speaking underground forums. The platform features extensive data exfiltration capabilities, including browser credential theft, cryptocurrency wallet targeting (supporting over 200 browser extensions and 50+ desktop wallets), and a premium module specifically designed to compromise Ledger and Trezor hardware wallets by intercepting 24-word BIP39 recovery seed phrases. The lightweight C-based payload supports both Intel and Apple Silicon architectures across macOS versions from Sierra to Tahoe. employs sophisticated social engineering through customizable DMG builders with live preview features, fake system prompts, and integration. Recent updates demonstrate rapid development, including Safari cookie grabbing, automated Apple Notes decryption, and universal hardware wallet modules. The operation utilizes services and shares infrastruct...

External references