“Say My Name”: How MioLab is building MacOS Stealer Empire
MioLab, also known as Nova, is a sophisticated Malware-as-a-Service platform targeting macOS environments, heavily advertised on Russian-speaking underground forums. The platform features extensive data exfiltration capabilities, including browser credential theft, cryptocurrency wallet targeting (supporting over 200 browser extensions and 50+ desktop wallets), and a premium module specifically designed to compromise Ledger and Trezor hardware wallets by intercepting 24-word BIP39 recovery seed phrases. The lightweight C-based payload supports both Intel and Apple Silicon architectures across macOS versions from Sierra to Tahoe. MioLab employs sophisticated social engineering through customizable DMG builders with live preview features, fake system prompts, and ClickFix integration. Recent updates demonstrate rapid development, including Safari cookie grabbing, automated Apple Notes decryption, and universal hardware wallet modules. The operation utilizes bulletproof hosting services and shares infrastruct...
AI Analysis
Technical Summary
MioLab (also known as Nova) is a sophisticated macOS-focused Malware-as-a-Service platform advertised on Russian-speaking underground forums. It features extensive data exfiltration capabilities targeting browser credentials and cryptocurrency wallets, supporting over 200 browser extensions and 50+ desktop wallets. A premium module targets Ledger and Trezor hardware wallets by intercepting 24-word BIP39 recovery seed phrases. The malware payload is written in C, lightweight, and compatible with Intel and Apple Silicon architectures across macOS Sierra to Tahoe. It employs advanced social engineering via customizable DMG builders with live previews, fake system prompts, and ClickFix integration. Recent enhancements include Safari cookie grabbing, automated Apple Notes decryption, and universal hardware wallet modules. The infrastructure uses bulletproof hosting services and shares components with other malware families. There are no known public exploits or patches available.
Potential Impact
MioLab enables attackers to steal sensitive user data on macOS systems, including browser credentials and cryptocurrency wallet information, potentially leading to financial theft and account compromise. The ability to intercept hardware wallet recovery phrases significantly increases the risk to users relying on Ledger and Trezor devices. The malware's compatibility with multiple macOS versions and architectures broadens its potential victim base. While no known exploits in the wild have been reported, the platform's active development and extensive capabilities pose a medium-level threat to macOS users, especially those involved in cryptocurrency.
Mitigation Recommendations
There is no official patch or vendor advisory available for this threat. Users should exercise caution when opening unsolicited or suspicious DMG files, especially those received via social engineering channels. Employing endpoint protection solutions capable of detecting macOS malware and monitoring for unusual activity related to browser credentials and wallet access is recommended. Given the lack of official fixes, vigilance and user education are critical. Regular backups and use of hardware wallets with strong physical security measures can help mitigate potential losses.
Indicators of Compromise
- domain: http.host
- domain: marinemember.com
- domain: officerelaxation.com
- domain: approve-me.com
- domain: decodecybercrime.com
- domain: mioisiskwowiwjowuwjwolab.club
- domain: zynce.org
- hash: 2422f04227fa86a149aed35d82f9a7fc
- domain: playavalon.org
- domain: socifiapp.com
- hash: 5c1cd6b18d9cdb7a682560518f0438cc
- hash: c8678739a0301fc2a46bbc7ed8629386
- url: https://socifiapp.com/api/reports/upload
- domain: command-confirm.com
- domain: approvecommand.com
- hash: 581f43161c591c43a3beb6d8e65b091a
- hash: 822c45a52cad26af77ea25f121724999
- hash: eeaba83f9e5a3922b02ba178c4ae445e
- hash: 138077b20c1886d0057983648c83deff9542a3cd
- hash: 65c1d23ca72d3699a382632db132352784999ab8
- hash: a8bb4b2c94187c91cd2cf62b23c2732625daff70
- hash: 1b38274f279c7c9aa8d45ac028b33bbf25861d706d10ecf017aa502a216cafbb
- hash: 2551e64498ed723fa2b258c9134ee299308ef91c82e14b9e873fc06dddb8f3f4
- hash: a24c82c2c4db20baef8998cb3c4935b74e83fec1a6c0e6bfcc64f4af19507b9c
- url: http://mioisiskwowiwjowuwjwolab.club/login
- url: https://bruceketta.space/posts/nova-script-251110/
- url: https://decodecybercrime.com/mapping-defhost-an-investigation-into-femo-it-solutions-limited-as214351/
- url: https://socifiapp.com
- domain: adjustservices.com
- domain: approvalmechanism.com
- domain: automatic-approval.com
- domain: blindsettlement.com
- domain: bothnationaldomainzones.com
- domain: bruceketta.space
- domain: bucketowlsummary.com
- domain: captainnose.com
- domain: carrotvegetable.com
- domain: certainstoragefeel.com
- domain: charitydome.com
- domain: chopaquarium.com
- domain: command-distributor.com
- domain: commerceapprove.com
- domain: confirm-protocol.com
- domain: cucumbernonsense.com
- domain: decline.top
- domain: displacehaircut.com
- domain: establishtransmission.com
- domain: flexiblefinger.com
- domain: formalpyramid.com
- domain: frontbottle.com
- domain: frozenlilytaxi.com
- domain: horsemanufacturer.com
- domain: importantsquash.com
- domain: insightvariety.com
- domain: itemvalidation.com
- domain: macosdev.world
- domain: memorialapetite.com
- domain: ovalresponsibility.com
- domain: owqkoqoqoqoqoqqoqoo.info
- domain: peaceofmindzone.com
- domain: registrationprotocol.com
- domain: respectableneedle.com
- domain: revisemodule.com
- domain: rocqwkeorkcowqkrcw.icu
- domain: sculpturecherry.com
- domain: signaturemodule.com
- domain: singleenvironment.com
- domain: standardpoetry.com
- domain: stringmotivation.com
- domain: structurecarry.com
- domain: sunrisefootball.com
- domain: talentedfrog.com
- domain: technicalposition.com
- domain: terminalconfirm.com
- domain: terminalsignature.com
- domain: trackperformer.com
- domain: usefuldrum.com
- domain: weetspace.com
- domain: welldrawer.com
- domain: wheelchairmoments.com
- domain: wtkqwctkow.icu
- hash: 32c135068c2070c7821f7c7a325ab1350cc207bfba978cdc1c6f5ba0bae46e4e
- hash: b18632cfdd732953bd5e13baba3bf11c84cc37f9
- hash: 521d6be1f630f4f8b21d57d1284b68ecc8fc9ad3
- hash: 2c54e32bde2960344f0270c76c9616741c2947b6f3311424b8220d8c95c3664f
“Say My Name”: How MioLab is building MacOS Stealer Empire
Description
MioLab, also known as Nova, is a sophisticated Malware-as-a-Service platform targeting macOS environments, heavily advertised on Russian-speaking underground forums. The platform features extensive data exfiltration capabilities, including browser credential theft, cryptocurrency wallet targeting (supporting over 200 browser extensions and 50+ desktop wallets), and a premium module specifically designed to compromise Ledger and Trezor hardware wallets by intercepting 24-word BIP39 recovery seed phrases. The lightweight C-based payload supports both Intel and Apple Silicon architectures across macOS versions from Sierra to Tahoe. MioLab employs sophisticated social engineering through customizable DMG builders with live preview features, fake system prompts, and ClickFix integration. Recent updates demonstrate rapid development, including Safari cookie grabbing, automated Apple Notes decryption, and universal hardware wallet modules. The operation utilizes bulletproof hosting services and shares infrastruct...
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
MioLab (also known as Nova) is a sophisticated macOS-focused Malware-as-a-Service platform advertised on Russian-speaking underground forums. It features extensive data exfiltration capabilities targeting browser credentials and cryptocurrency wallets, supporting over 200 browser extensions and 50+ desktop wallets. A premium module targets Ledger and Trezor hardware wallets by intercepting 24-word BIP39 recovery seed phrases. The malware payload is written in C, lightweight, and compatible with Intel and Apple Silicon architectures across macOS Sierra to Tahoe. It employs advanced social engineering via customizable DMG builders with live previews, fake system prompts, and ClickFix integration. Recent enhancements include Safari cookie grabbing, automated Apple Notes decryption, and universal hardware wallet modules. The infrastructure uses bulletproof hosting services and shares components with other malware families. There are no known public exploits or patches available.
Potential Impact
MioLab enables attackers to steal sensitive user data on macOS systems, including browser credentials and cryptocurrency wallet information, potentially leading to financial theft and account compromise. The ability to intercept hardware wallet recovery phrases significantly increases the risk to users relying on Ledger and Trezor devices. The malware's compatibility with multiple macOS versions and architectures broadens its potential victim base. While no known exploits in the wild have been reported, the platform's active development and extensive capabilities pose a medium-level threat to macOS users, especially those involved in cryptocurrency.
Mitigation Recommendations
There is no official patch or vendor advisory available for this threat. Users should exercise caution when opening unsolicited or suspicious DMG files, especially those received via social engineering channels. Employing endpoint protection solutions capable of detecting macOS malware and monitoring for unusual activity related to browser credentials and wallet access is recommended. Given the lack of official fixes, vigilance and user education are critical. Regular backups and use of hardware wallets with strong physical security measures can help mitigate potential losses.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.levelblue.com/blogs/spiderlabs-blog/say-my-name-how-miolab-is-building-macos-stealer-empire"]
- Adversary
- MioLab
- Pulse Id
- 69f3653e884ec7a430371ba3
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainhttp.host | — | |
domainmarinemember.com | — | |
domainofficerelaxation.com | — | |
domainapprove-me.com | — | |
domaindecodecybercrime.com | — | |
domainmioisiskwowiwjowuwjwolab.club | — | |
domainzynce.org | — | |
domainplayavalon.org | — | |
domainsocifiapp.com | — | |
domaincommand-confirm.com | — | |
domainapprovecommand.com | — | |
domainadjustservices.com | — | |
domainapprovalmechanism.com | — | |
domainautomatic-approval.com | — | |
domainblindsettlement.com | — | |
domainbothnationaldomainzones.com | — | |
domainbruceketta.space | — | |
domainbucketowlsummary.com | — | |
domaincaptainnose.com | — | |
domaincarrotvegetable.com | — | |
domaincertainstoragefeel.com | — | |
domaincharitydome.com | — | |
domainchopaquarium.com | — | |
domaincommand-distributor.com | — | |
domaincommerceapprove.com | — | |
domainconfirm-protocol.com | — | |
domaincucumbernonsense.com | — | |
domaindecline.top | — | |
domaindisplacehaircut.com | — | |
domainestablishtransmission.com | — | |
domainflexiblefinger.com | — | |
domainformalpyramid.com | — | |
domainfrontbottle.com | — | |
domainfrozenlilytaxi.com | — | |
domainhorsemanufacturer.com | — | |
domainimportantsquash.com | — | |
domaininsightvariety.com | — | |
domainitemvalidation.com | — | |
domainmacosdev.world | — | |
domainmemorialapetite.com | — | |
domainovalresponsibility.com | — | |
domainowqkoqoqoqoqoqqoqoo.info | — | |
domainpeaceofmindzone.com | — | |
domainregistrationprotocol.com | — | |
domainrespectableneedle.com | — | |
domainrevisemodule.com | — | |
domainrocqwkeorkcowqkrcw.icu | — | |
domainsculpturecherry.com | — | |
domainsignaturemodule.com | — | |
domainsingleenvironment.com | — | |
domainstandardpoetry.com | — | |
domainstringmotivation.com | — | |
domainstructurecarry.com | — | |
domainsunrisefootball.com | — | |
domaintalentedfrog.com | — | |
domaintechnicalposition.com | — | |
domainterminalconfirm.com | — | |
domainterminalsignature.com | — | |
domaintrackperformer.com | — | |
domainusefuldrum.com | — | |
domainweetspace.com | — | |
domainwelldrawer.com | — | |
domainwheelchairmoments.com | — | |
domainwtkqwctkow.icu | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash2422f04227fa86a149aed35d82f9a7fc | — | |
hash5c1cd6b18d9cdb7a682560518f0438cc | — | |
hashc8678739a0301fc2a46bbc7ed8629386 | — | |
hash581f43161c591c43a3beb6d8e65b091a | — | |
hash822c45a52cad26af77ea25f121724999 | — | |
hasheeaba83f9e5a3922b02ba178c4ae445e | — | |
hash138077b20c1886d0057983648c83deff9542a3cd | — | |
hash65c1d23ca72d3699a382632db132352784999ab8 | — | |
hasha8bb4b2c94187c91cd2cf62b23c2732625daff70 | — | |
hash1b38274f279c7c9aa8d45ac028b33bbf25861d706d10ecf017aa502a216cafbb | — | |
hash2551e64498ed723fa2b258c9134ee299308ef91c82e14b9e873fc06dddb8f3f4 | — | |
hasha24c82c2c4db20baef8998cb3c4935b74e83fec1a6c0e6bfcc64f4af19507b9c | — | |
hash32c135068c2070c7821f7c7a325ab1350cc207bfba978cdc1c6f5ba0bae46e4e | — | |
hashb18632cfdd732953bd5e13baba3bf11c84cc37f9 | — | |
hash521d6be1f630f4f8b21d57d1284b68ecc8fc9ad3 | — | |
hash2c54e32bde2960344f0270c76c9616741c2947b6f3311424b8220d8c95c3664f | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://socifiapp.com/api/reports/upload | — | |
urlhttp://mioisiskwowiwjowuwjwolab.club/login | — | |
urlhttps://bruceketta.space/posts/nova-script-251110/ | — | |
urlhttps://decodecybercrime.com/mapping-defhost-an-investigation-into-femo-it-solutions-limited-as214351/ | — | |
urlhttps://socifiapp.com | — |
Threat ID: 69f884b6cbff5d861010660c
Added to database: 5/4/2026, 11:36:22 AM
Last enriched: 5/4/2026, 11:51:23 AM
Last updated: 6/18/2026, 8:10:08 AM
Views: 88
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.