As Apple's market share grows among high-value targets like software engineers, executives, and cryptocurrency investors, threat actors are focusing more and more on macOS environments. Premium Malware-as-a-Service (MaaS) platforms like MioLab (also known as Nova) show that macOS has gone from being "too small to attack" to a main target that needs advanced evasion techniques. MioLab is a highly commercialized and professional way to deal with macOS malware.
It is heavily advertised on well-known Russian-speaking underground forums. MioLab gives attackers the tools they need to steal sensitive browser data, empty high-value cryptocurrency wallets, and get around macOS security measures by using customizable social engineering lures. These tools include a small payload and a full web panel.
Advanced Evasion and Data Exfiltration MioLab has a very evasive, lightweight C-based payload of about 100 KB that works with both old Intel and new Apple Silicon architectures on macOS versions from Sierra to Tahoe. To get around Gatekeeper and other macOS security measures, operators use a visual builder to make fake DMG installation windows and use social engineering prompts a lot. The malware makes fake system error messages and asks for the administrator password to get local credentials.
MioLab Login Page (Source: levelblue) When run, it forcefully closes macOS Terminal and uses AppleScript to show fake dialogs that hide the password input. After checking the credentials against the local directory service, the malware systematically collects a lot of information about the system.
Stolen information view (Source: levelblue) Operator Infrastructure and ClickFix Integration MioLab gives its operators an enterprise-grade web panel that is made to handle big cybercrime campaigns. This dashboard has advanced log sorting, team API integrations, and a built-in tool with proxy support that lets you use stolen tokens to restore hijacked Google sessions. This means that you can take over an account without two-factor authentication.
The infrastructure is very strong because it uses dedicated proxy layers and bulletproof hosting from companies like FEMO IT Solutions to make callbacks more likely to work and avoid being detected by networks. MioLab's new log management panel. (Source: levelblue) The addition of a ClickFix utility is one of the most important new features of the latest MioLab updates. The command-and-control panel has a one-click tool that makes fake CAPTCHA pages by automatically creating malicious Terminal commands.
Recent levelblue active malvertising campaigns have used this to trick macOS users into running the payload by copying real developer portals, like the Claude Code Docs. Hash (SHA-256) 2551e64498ed723fa2b258c9134ee299308ef91c82e14b9e873fc06dddb8f3f4 Application Mach-O Universal Binary Hash (MD5) 5c1cd6b18d9cdb7a682560518f0438cc MioLab MacOS infostealer variant Hash (MD5) 2422f04227fa86a149aed35d82f9a7fc MioLab MacOS infostealer variant To make money off of all traffic, operators have also connected their infrastructure to Web3 Ethereum drainers. This way, even leftover traffic from rotated domains is used through custom phishing links.
To protect against these advanced social engineering tactics, security experts suggest closely watching sensitive system utilities like dscl and osascript, requiring code signing, and providing strong training to users to make them aware of these threats.
