Moonlock Lab

macOS malware investigations

Moonlock Lab

Latest threat report

Notorious hacker returns with a new macOS stealer targeting $10K+ crypto wallets: Header image

Notorious hacker returns with a new Mac stealer targeting $10K+ crypto wallets

In 2023, a malware developer named 0xFFF rage-quit one of the most prominent underground hacking forums, leaving behind accusations and bad blood. In August 2024, 0xFFF came back under a new alias, alh1mik,...
Apr 8, 2026
17 min read

About Moonlock Lab

Moonlock Lab is a team of security engineers that includes a former cybercrime investigator, a white-hat hacker, and a key figure of an Andy Greenberg book. They detect and study cyber threats daily, beefing up the defenses of Moonlock Engine.


Lab’s researchers have discovered new malware samples and AMOS variants, tracked down stealer developers, and exposed sophisticated malvertising campaigns. Their findings amass thousands of views, get featured in Forbes and Bleeping Computer. And when not chasing cyber threats, our experts hit the stage at RSA Webcast, Virus Bulletin, or Objective for the We.

More About Moonlock
About Moonlock Lab

Previous publications

Fake VCs target crypto talent in a new ClickFix campaig header

Fake VCs target crypto talent in a new ClickFix campaign

In a new investigation, Moonlock Lab has been tracking a malware campaign targeting cryptocurrency and Web3 professionals. The threat actors operate through fabricated venture capital identities, engage victims on LinkedIn with tailored job...
Mar 2, 2026
15 min read
6 key trends to watch in macOS malware in 2026: Header image

6 key trends to watch in macOS malware in 2026

What we’re seeing in macOS malware development is a reflection of how cybercrime itself evolves. As security ecosystems mature, threat actors are creating malware that is more efficient and more resilient than ever...
Feb 3, 2026
9 min read
Moonlock's 2025 macOS threat report: Header image

Moonlock’s 2025 macOS threat report

For the second year in a row, MacPaw’s Moonlock Lab is sharing observations, research findings, and trends in macOS malware over the past year. This time, we focus less on the technical side of...
Dec 3, 2025
20 min read

Experts of Moonlock Lab

Kseniia Yamburh

Kseniia Yamburh

Kseniia is a malware research engineer at Moonlock, the cybersecurity division of MacPaw. She specializes in OSINT intelligence gathering and analysis. Her passion lies in writing about new investigations and findings in the field of cybersecurity.
Mykhailo Hrebeniuk

Mykhailo Hrebeniuk

Mykhailo is a macOS security researcher at Moonlock, the cybersecurity division of MacPaw. He specializes in malware analysis, data analysis, and developing tools. Mykhailo previously worked as a software developer with embedded Linux and networking, focusing on vulnerability research.
Victor Kubashok

Victor Kubashok

Viсtor is a cybersecurity expert at Moonlock, the cybersecurity division of MacPaw. He has over a decade of experience as a malware analyst and ethical hacker, and has contributed to investigating malware used in major cyberattacks on Ukraine.
Mykola N.

Mykola N.

Mykola is a macOS security researcher and malware analyst at Moonlock, the cybersecurity division of MacPaw. With 20 years of experience in several cybersecurity areas, he is a participant of the Apple Security Bounty program and has earned multiple rewards for his reports on macOS vulnerabilities.
Oleh K.

Oleh K.

Oleh is a reverse engineer at Moonlock, the cybersecurity division of MacPaw. He specializies in reverse engineering, debugging, and bypassing malware obfuscation and protection mechanisms.
Mykhailo Pazyniuk

Mykhailo Pazyniuk

Mykhailo is a malware research engineer at Moonlock, the cybersecurity division of MacPaw. He specializes in tracking threat groups, and currently works as a research engineer, overseeing malware campaigns, reporting on threat actor activity, and classifying emerging malware families.
Lab making headlines
Macworld media logo
Complete list of Mac viruses, malware and trojans
A list features Unnamed Downloader, Poseidon, and PyStealer that Moonlock Lab has discovered in the wild.
Feb 5, 2025
CSO media logo
Is the tide turning on macOS security?
Moonlock's threat report reveals disturbing trends that are turning Apple’s platform into a lucrative target for cybercriminals.
Dec 5, 2024
apple insider media logo
What a new threat report says about Mac malware in 2024
Moonlock Lab examines attackers' evolving tactics, from cheap, plug-and-play malware kits to sophisticated AI-generated exploits.
Dec 4, 2024
hackernoon media logo
Tracking Atomic Stealer on macOS: sophisticated malware replacing Ledger Live app
Here’s how Moonlock Lab obtained and analyzed a version of Atomic Stealer that primarily targets the Ledger Live app.
Aug 24, 2024

Follow Moonlock Lab on X

moonlock_lab Moonlock Lab @moonlock_lab ·
27 Apr

1/ℹ️We found a fully-featured macOS #RAT that zero AV vendors detected at the time of discovery.

Meet "3Crypt RAT/C2 Capability Tester" - a #macOS binary with deep recon, persistence, evasion, and lateral movement capabilities.

No real C2 infra. But don't let that fool you. 👇

Reply on Twitter 2048758820587872557 Retweet on Twitter 2048758820587872557 18 Like on Twitter 2048758820587872557 66 X 2048758820587872557
moonlock_com Moonlock by MacPaw @moonlock_com ·
22 Apr

Ever seen a malware dev just… come back?

A known macOS threat actor resurfaced under a new identity — now behind a stealer called notnullOSX.

It’s already active, evolving, and targeting high-value data.

Feels like macOS threats are getting a lot more persistent lately.

Reply on Twitter 2047054631596085449 Retweet on Twitter 2047054631596085449 4 Like on Twitter 2047054631596085449 22 X 2047054631596085449
moonlock_lab Moonlock Lab @moonlock_lab ·
20 Apr

🔴1/ We've spotted in-the-wild usage of #Overlord RAT - a Go-based remote access trojan targeting #macOS.
Binary was found and shared by @malwrhunterteam.
First detections: South Korea.
This one has HVNC, process injection and browser hijacking capabilities. More below 👇

Reply on Twitter 2046259827714760776 Retweet on Twitter 2046259827714760776 9 Like on Twitter 2046259827714760776 49 X 2046259827714760776
objective_see Objective-See Foundation @objective_see ·
14 Apr

New research from our friends/supporters @MacPaw / @moonlock_lab 👏

🍎👾🔬 New macOS stealer “notnullosx”: Go-based, modular, and going after everything from browser creds to crypto wallets.

Read:

Reply on Twitter 2044161112875381184 Retweet on Twitter 2044161112875381184 9 Like on Twitter 2044161112875381184 37 X 2044161112875381184
moonlock_lab Moonlock Lab @moonlock_lab ·
6 Apr

1/ A trusted package with massive reach briefly became a malware delivery channel, and we’re currently tracking a spike in #Waveshaper across 19 countries, including the US, Canada, Australia, and parts of Asia.
The recent Axios npm compromise shows how a single supply-chain

Reply on Twitter 2041184794038473136 Retweet on Twitter 2041184794038473136 6 Like on Twitter 2041184794038473136 26 X 2041184794038473136
moonlock_com Moonlock by MacPaw @moonlock_com ·
25 Mar

Kseniia Yamburh @osint_barbie has been named “Cybersecurity Woman of the Year” at the 2026 Cybersecurity Excellence Awards!
As a Malware Research Engineer at Moonlock by MacPaw, Kseniia spends her days hunting down macOS threats and sharing her intelligence with the broader

Reply on Twitter 2036760173314728125 Retweet on Twitter 2036760173314728125 2 Like on Twitter 2036760173314728125 28 X 2036760173314728125
moonlock_lab Moonlock Lab @moonlock_lab ·
19 Mar

1/ New #macOS samples, 0 detections on VT as of writing, but multiple artifacts suggest Sliver-like HTTP(S) C2. Shared by @malwrhunterteam.
What stood out: procedural URL patterns, PNG-wrapped network payloads, no plaintext IOCs, and wazero/WASM-related execution. More below👇

Reply on Twitter 2034679020730626139 Retweet on Twitter 2034679020730626139 12 Like on Twitter 2034679020730626139 49 X 2034679020730626139
moonlock_com Moonlock by MacPaw @moonlock_com ·
12 Mar

We’re excited to share something special with the community.

Moonlock Lab experts @osint_barbie and @xor3r have published a new piece on the RSA Conference blog about the evolving landscape of macOS threats.

In the article they break down the most common threats targeting macOS

Reply on Twitter 2032022040304054758 Retweet on Twitter 2032022040304054758 4 Like on Twitter 2032022040304054758 25 X 2032022040304054758
moonlock_lab Moonlock Lab @moonlock_lab ·
4 Mar

Beware fake VCs on LinkedIn ❗️
Our latest Moonlock Lab report tracks a new #ClickFix campaign using fake Zoom/Meet links + a bogus Cloudflare CAPTCHA to trick victims into pasting malicious commands - cross-platform for macOS & Windows.
Featuring findings by @malwrhunterteam and

Reply on Twitter 2029259646544810408 Retweet on Twitter 2029259646544810408 9 Like on Twitter 2029259646544810408 23 X 2029259646544810408
moonlock_lab Moonlock Lab @moonlock_lab ·
26 Feb

Infostealers aren’t slowing down. Listen to the second part of @9to5mac Security Bite Podcast with @arinwaichulis, where our Moonlock Lab researchers break down how these threats land, and why social engineering is escalating. 🎙️

Reply on Twitter 2027058197677097287 Retweet on Twitter 2027058197677097287 3 Like on Twitter 2027058197677097287 11 X 2027058197677097287
moonlock_lab Moonlock Lab @moonlock_lab ·
25 Feb

1/ We just triaged a #macOS sample that looks like a full-featured RAT with a twist - it uses the #Solana blockchain as part of its C2 workflow. Kindly shared by @malwrhunterteam. More below 🧵

Reply on Twitter 2026683358890307807 Retweet on Twitter 2026683358890307807 12 Like on Twitter 2026683358890307807 63 X 2026683358890307807