Threats Tagged 'macos stealer'
View all threats tagged with 'macos stealer'. Filter and sort to focus on specific types of threats.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Threats Tagged 'macos stealer'
Click on any threat for detailed analysis and mitigation recommendations
“Say My Name”: How MioLab is building MacOS Stealer Empire 0 MioLab, also known as Nova, is a sophisticated Malware-as-a-Service platform targeting macOS environments, heavily advertised on Russian-speaking underground forums. The platform features extensive data exfiltration capabilities, including browser credential theft, cryptocurrency wallet targeting (supporting over 200 browser extensions and 50+ desktop wallets), and a premium module specifically designed to compromise Ledger and Trezor hardware wallets by intercepting 24-word BIP39 recovery seed phrases. The lightweight C-based payload supports both Intel and Apple Silicon architectures across macOS versions from Sierra to Tahoe. MioLab employs sophisticated social engineering through customizable DMG builders with live preview features, fake system prompts, and ClickFix integration. Recent updates demonstrate rapid development, including Safari cookie grabbing, automated Apple Notes decryption, and universal hardware wallet modules. The operation utilizes bulletproof hosting services and shares infrastruct... Join the discussion | AlienVault OTX General | 04/30/2026, 14:20:46 UTC Added: 05/04/2026, 11:36:22 UTC |
A new Mac stealer targeting $10K+ crypto wallets 0 A sophisticated macOS stealer called notnullOSX emerged in March 2026, developed by threat actor alh1mik (formerly 0xFFF) who returned after a 2023 exit from underground forums. This Go-written modular stealer exclusively targets macOS users with cryptocurrency holdings exceeding $10,000. Distribution occurs through ClickFix social engineering and malicious DMG files disguised as legitimate applications like WallSpace. The malware employs a modular architecture with specialized components to exfiltrate iMessage history, Apple Notes, browser credentials, Safari cookies, crypto wallet files, SSH keys, and cloud provider credentials. By social-engineering victims into granting Full Disk Access, notnullOSX bypasses macOS TCC protections without triggering permission dialogs. The stealer maintains persistent WebSocket connections to Firebase infrastructure, functioning as both an infostealer and backdoor with remote module update capabilities. Join the discussion | AlienVault OTX General | 04/15/2026, 14:59:34 UTC Added: 04/15/2026, 15:46:50 UTC |
AMOS Variant Distributed Via Clickfix In Spectrum-Themed Dynamic Delivery Campaign By Russian Speaking Hackers 0 A sophisticated campaign using typo-squatted 'Spectrum' domains has been uncovered, spreading a new Atomic macOS Stealer (AMOS) variant. The attack, disguised as a CAPTCHA verification, employs dynamic payloads based on the victim's operating system. For macOS users, a malicious shell script steals system passwords and downloads an AMOS variant. The script uses native macOS commands to harvest credentials, bypass security, and execute malicious binaries. Russian-language comments in the source code suggest involvement of Russian-speaking cybercriminals. The campaign's delivery sites show flawed logic, indicating hasty assembly. This multi-platform social engineering attack targets both consumer and corporate users, highlighting an increasing trend in cross-platform threats. Join the discussion | AlienVault OTX General | 06/04/2025, 19:24:20 UTC Added: 06/04/2025, 20:28:32 UTC |
Showing 1 to 3 of 3 results