Moonlock Lab

macOS malware investigations

Moonlock Lab

Latest threat report

Fake VCs target crypto talent in a new ClickFix campaig header

Fake VCs target crypto talent in a new ClickFix campaign

In a new investigation, Moonlock Lab has been tracking a malware campaign targeting cryptocurrency and Web3 professionals. The threat actors operate through fabricated venture capital identities, engage victims on LinkedIn with tailored job...
Mar 2, 2026
15 min read

About Moonlock Lab

Moonlock Lab is a team of security engineers that includes a former cybercrime investigator, a white-hat hacker, and a key figure of an Andy Greenberg book. They detect and study cyber threats daily, beefing up the defenses of Moonlock Engine.


Lab’s researchers have discovered new malware samples and AMOS variants, tracked down stealer developers, and exposed sophisticated malvertising campaigns. Their findings amass thousands of views, get featured in Forbes and Bleeping Computer. And when not chasing cyber threats, our experts hit the stage at RSA Webcast, Virus Bulletin, or Objective for the We.

More About Moonlock
About Moonlock Lab

Previous publications

6 key trends to watch in macOS malware in 2026: Header image

6 key trends to watch in macOS malware in 2026

What we’re seeing in macOS malware development is a reflection of how cybercrime itself evolves. As security ecosystems mature, threat actors are creating malware that is more efficient and more resilient than ever...
Feb 3, 2026
9 min read
Moonlock's 2025 macOS threat report: Header image

Moonlock’s 2025 macOS threat report

For the second year in a row, MacPaw’s Moonlock Lab is sharing observations, research findings, and trends in macOS malware over the past year. This time, we focus less on the technical side of...
Dec 3, 2025
20 min read
Mac.c stealer evolves into MacSync: Now with a backdoor: Header image

Mac.c stealer evolves into MacSync: Now with a backdoor

In April 2025, a new macOS stealer developer emerged under the alias “mentalpositive.” Their stealer, mac.c, wasn’t sophisticated. It wasn’t particularly stealthy or feature-rich at launch, either. However, it did have one important...
Sep 12, 2025
7 min read

Experts of Moonlock Lab

Kseniia Yamburh

Kseniia Yamburh

Kseniia is a malware research engineer at Moonlock, the cybersecurity division of MacPaw. She specializes in OSINT intelligence gathering and analysis. Her passion lies in writing about new investigations and findings in the field of cybersecurity.
Mykhailo Hrebeniuk

Mykhailo Hrebeniuk

Mykhailo is a macOS security researcher at Moonlock, the cybersecurity division of MacPaw. He specializes in malware analysis, data analysis, and developing tools. Mykhailo previously worked as a software developer with embedded Linux and networking, focusing on vulnerability research.
Victor Kubashok

Victor Kubashok

Viсtor is a cybersecurity expert at Moonlock, the cybersecurity division of MacPaw. He has over a decade of experience as a malware analyst and ethical hacker, and has contributed to investigating malware used in major cyberattacks on Ukraine.
Mykola N.

Mykola N.

Mykola is a macOS security researcher and malware analyst at Moonlock, the cybersecurity division of MacPaw. With 20 years of experience in several cybersecurity areas, he is a participant of the Apple Security Bounty program and has earned multiple rewards for his reports on macOS vulnerabilities.
Oleh K.

Oleh K.

Oleh is a reverse engineer at Moonlock, the cybersecurity division of MacPaw. He specializies in reverse engineering, debugging, and bypassing malware obfuscation and protection mechanisms.
Mykhailo Pazyniuk

Mykhailo Pazyniuk

Mykhailo is a malware research engineer at Moonlock, the cybersecurity division of MacPaw. He specializes in tracking threat groups, and currently works as a research engineer, overseeing malware campaigns, reporting on threat actor activity, and classifying emerging malware families.
Lab making headlines
Macworld media logo
Complete list of Mac viruses, malware and trojans
A list features Unnamed Downloader, Poseidon, and PyStealer that Moonlock Lab has discovered in the wild.
Feb 5, 2025
CSO media logo
Is the tide turning on macOS security?
Moonlock's threat report reveals disturbing trends that are turning Apple’s platform into a lucrative target for cybercriminals.
Dec 5, 2024
apple insider media logo
What a new threat report says about Mac malware in 2024
Moonlock Lab examines attackers' evolving tactics, from cheap, plug-and-play malware kits to sophisticated AI-generated exploits.
Dec 4, 2024
hackernoon media logo
Tracking Atomic Stealer on macOS: sophisticated malware replacing Ledger Live app
Here’s how Moonlock Lab obtained and analyzed a version of Atomic Stealer that primarily targets the Ledger Live app.
Aug 24, 2024

Follow Moonlock Lab on X

moonlock_lab Moonlock Lab @moonlock_lab ·
16h

Beware fake VCs on LinkedIn ❗️
Our latest Moonlock Lab report tracks a new #ClickFix campaign using fake Zoom/Meet links + a bogus Cloudflare CAPTCHA to trick victims into pasting malicious commands - cross-platform for macOS & Windows.
Featuring findings by @malwrhunterteam and

Reply on Twitter 2029259646544810408 Retweet on Twitter 2029259646544810408 7 Like on Twitter 2029259646544810408 18 X 2029259646544810408
moonlock_lab Moonlock Lab @moonlock_lab ·
26 Feb

Infostealers aren’t slowing down. Listen to the second part of @9to5mac Security Bite Podcast with @arinwaichulis, where our Moonlock Lab researchers break down how these threats land, and why social engineering is escalating. 🎙️

Reply on Twitter 2027058197677097287 Retweet on Twitter 2027058197677097287 3 Like on Twitter 2027058197677097287 11 X 2027058197677097287
moonlock_lab Moonlock Lab @moonlock_lab ·
25 Feb

1/ We just triaged a #macOS sample that looks like a full-featured RAT with a twist - it uses the #Solana blockchain as part of its C2 workflow. Kindly shared by @malwrhunterteam. More below 🧵

Reply on Twitter 2026683358890307807 Retweet on Twitter 2026683358890307807 12 Like on Twitter 2026683358890307807 63 X 2026683358890307807
moonlock_lab Moonlock Lab @moonlock_lab ·
19 Feb

Hey!👋 If you appreciate the importance of work done by @osint_barbie from our team, dealing with malware and threat actors, - please go vote for her by sharing a link to her nominee profile @ Cybersecurity Excellence Awards ❤️‍🔥
https://cybersecurity-excellence-awards.com/candidates/kseniia-yamburh-2026/

Reply on Twitter 2024469666379280409 Retweet on Twitter 2024469666379280409 3 Like on Twitter 2024469666379280409 25 X 2024469666379280409
moonlock_lab Moonlock Lab @moonlock_lab ·
11 Feb

🧵 1/ 🚨 What if a Google Sponsored result for a common macOS query led to malware? That's happening right now and 15K+ people have already seen it.
We at @MoonlockLab observed 2 variants today abusing legitimate platforms for ClickFix delivery: a @AnthropicAI public artifact on

Reply on Twitter 2021695650367226108 Retweet on Twitter 2021695650367226108 17 Like on Twitter 2021695650367226108 53 X 2021695650367226108
moonlock_lab Moonlock Lab @moonlock_lab ·
10 Feb

1/ Crypto #phishing scams against #macOS users become more 'genuine' and continue to target Trezor consumers. Digging deeper on a campaign mentioned by @malwrhunterteam, we followed the trail and examined yet another WebView sample prompting for seed phrase .. 🧵

2

Reply on Twitter 2021182079396962748 Retweet on Twitter 2021182079396962748 7 Like on Twitter 2021182079396962748 31 X 2021182079396962748
moonlock_lab Moonlock Lab @moonlock_lab ·
5 Feb

1/ We’re tracking a fresh wave of #Odyssey #Stealer activity targeting #macOS users.
Over the past days, our telemetry showed newly updated samples spreading primarily across:
🇺🇸 United States
🇫🇷 France
🇪🇸 Spain

Today, the picture has clearly changed: the same Odyssey campaign

2

Reply on Twitter 2019528813328125984 Retweet on Twitter 2019528813328125984 6 Like on Twitter 2019528813328125984 29 X 2019528813328125984
moonlock_lab Moonlock Lab @moonlock_lab ·
5 Feb

Our team recently published 2026 #macOS malware predictions: supply-chain + AI/workflow (MCP) abuse, signed/notarized stealth & multi-stage loaders, Macs as proxy infrastructure, and “upmarket” infostealers.
Give it a read! 👇

Reply on Twitter 2019397136903991646 Retweet on Twitter 2019397136903991646 8 Like on Twitter 2019397136903991646 28 X 2019397136903991646
moonlock_lab Moonlock Lab @moonlock_lab ·
4 Feb

1/ We conducted an analysis on yet undetected + low detected samples of something similar to a dropper/stager written in Go. According to our findings + what has been shared with us kindly by @malwrhunterteam, these files have a few generations with obfuscation in later ones. 🧵

2

Reply on Twitter 2019098528459481297 Retweet on Twitter 2019098528459481297 8 Like on Twitter 2019098528459481297 37 X 2019098528459481297
moonlock_com Moonlock by MacPaw @moonlock_com ·
3 Feb

Infostealers are no longer a side quest for macOS.
They’re a main storyline.

In Part 1 of the latest @9to5mac Security Bite podcast, Moonlock Lab researchers join @arinwaichulis to discuss why infostealers have emerged as one of the most dominant macOS threats in 2026.

Our

Reply on Twitter 2018679259116527749 Retweet on Twitter 2018679259116527749 3 Like on Twitter 2018679259116527749 6 X 2018679259116527749
osint_barbie xiu @osint_barbie ·
28 Jan

Great convo on macOS infostealers and why “just paste this into Terminal” is never a good life choice 🥲😅

Thank you @arinwaichulis for the great questions and a super nice vibe! Looking forward to Friday🎙️🍏

Reply on Twitter 2016504105900904702 Retweet on Twitter 2016504105900904702 3 Like on Twitter 2016504105900904702 25 X 2016504105900904702