Moonlock Lab

macOS malware investigations

Moonlock Lab

Latest threat report

Atomic macOS Stealer now includes a backdoor for persistent access: Header image

Atomic macOS Stealer now includes a backdoor for persistent access

Atomic macOS Stealer (AMOS), a popular piece of stealer malware for macOS, has just received a major update. For the first time, it’s being deployed with an embedded backdoor. This change allows attackers...
Jul 4, 2025
12 min read

About Moonlock Lab

Moonlock Lab is a team of security engineers that includes a former cybercrime investigator, a white-hat hacker, and a key figure of an Andy Greenberg book. They detect and study cyber threats daily, beefing up the defenses of Moonlock Engine.


Lab’s researchers have discovered new malware samples and AMOS variants, tracked down stealer developers, and exposed sophisticated malvertising campaigns. Their findings amass thousands of views, get featured in Forbes and Bleeping Computer. And when not chasing cyber threats, our experts hit the stage at RSA Webcast, Virus Bulletin, or Objective for the We.

More About Moonlock
About Moonlock Lab

Previous publications

"Anti-Ledger" malware: The battle for Ledger Live seed phrases: Header image

“Anti-Ledger” malware: The battle for Ledger Live seed phrases

Hackers are increasingly exploiting the trust that crypto owners place in cold wallets, turning the very tools meant to secure assets into attack surfaces. The recent ByBit heist has shaken the crypto industry...
May 22, 2025
10 min read
Realtek or real threat? The macOS malware that won’t quit: Header image

Realtek or real threat? The macOS malware that won’t quit

Suspected North Korean threat actors are targeting macOS users with a recycled — but still dangerous — malware campaign. First spotted in April 2025, this campaign is a subtle evolution of the “Contagious...
May 5, 2025
9 min read
Moonlock 2024 macOS threat report (Header image)

Moonlock’s 2024 macOS threat report

For decades, Apple devices have enjoyed a reputation for being mostly malware-free. However, with a 60 percent increase in market share in the last 3 years alone, macOS has become a prime target...
Dec 3, 2024
14 min read

Experts of Moonlock Lab

Kseniia Yamburh

Kseniia Yamburh

Kseniia is a malware research engineer at Moonlock, the cybersecurity division of MacPaw. She specializes in OSINT intelligence gathering and analysis. Her passion lies in writing about new investigations and findings in the field of cybersecurity.
Mykhailo Hrebeniuk

Mykhailo Hrebeniuk

Mykhailo is a macOS security researcher at Moonlock, the cybersecurity division of MacPaw. He specializes in malware analysis, data analysis, and developing tools. Mykhailo previously worked as a software developer with embedded Linux and networking, focusing on vulnerability research.
Victor Kubashok

Victor Kubashok

Viсtor is a cybersecurity expert at Moonlock, the cybersecurity division of MacPaw. He has over a decade of experience as a malware analyst and ethical hacker, and has contributed to investigating malware used in major cyberattacks on Ukraine.
Mykola N.

Mykola N.

Mykola is a macOS security researcher and malware analyst at Moonlock, the cybersecurity division of MacPaw. With 20 years of experience in several cybersecurity areas, he is a participant of the Apple Security Bounty program and has earned multiple rewards for his reports on macOS vulnerabilities.

Follow Moonlock Lab on X

moonlock_lab Moonlock Lab @moonlock_lab ·
12 Aug

@g0njxa 6/7: Not the flashiest stealer out there, but it's the cheapest on the market. And now it seems price matters for some traffer teams. mac.c borrows from AMOS but carves its own niche in the macOS infostealer scene.

Reply on Twitter 1955387547493994659 Retweet on Twitter 1955387547493994659 1 Like on Twitter 1955387547493994659 5 X 1955387547493994659
moonlock_lab Moonlock Lab @moonlock_lab ·
12 Aug

1/7: Our fellow researcher @g0njxa shared juicy info with us: a real #ClickFix-style find! A fake "Installation Instructions" pop-up pushes users to run a malicious bash command via Terminal. We couldn’t resist checking it, and what we uncovered? A multi-stage #macOS #stealer 👇

Reply on Twitter 1955386777793183990 Retweet on Twitter 1955386777793183990 16 Like on Twitter 1955386777793183990 57 X 1955386777793183990
moonlock_lab Moonlock Lab @moonlock_lab ·
30 Jul

1/4: Earlier this month, our team published an article dissecting a new #backdoor variant hidden inside the #AMOS #macOS malware. Since then, we've observed a sharp 300% increase in detected AMOS samples targeting our users. Let us explain why it matters 👇

Reply on Twitter 1950549149692178543 Retweet on Twitter 1950549149692178543 12 Like on Twitter 1950549149692178543 23 X 1950549149692178543
moonlock_com Moonlock by MacPaw @moonlock_com ·
28 Jul

MacPaw’s Moonlock team at Objective by the Sea #OBTS v8.0!
This October, Kseniia and Nazar will speak at the world’s leading macOS/iOS security conference — #OBTS v8.0, held in Ibiza 🌴

They’ll share how we uncover real macOS threats using unique data and hands-on threat hunting…

Reply on Twitter 1949873374030610916 Retweet on Twitter 1949873374030610916 5 Like on Twitter 1949873374030610916 20 X 1949873374030610916
moonlock_lab Moonlock Lab @moonlock_lab ·
8 Jul

🗞️ We couldn't fit our analysis of a new #AMOS #macOS #backdoor into a thread here, so we published a whole article!
We appreciate @SANSInstitute, @BleepinComputer, and others for sharing it! Give it a read!

Reply on Twitter 1942524364844589264 Retweet on Twitter 1942524364844589264 20 Like on Twitter 1942524364844589264 64 X 1942524364844589264
moonlock_lab Moonlock Lab @moonlock_lab ·
18 Jun

1/8: Our team investigated yet another #macOS #stealer hidden behind a fake CleanMyMac website. It all started with an impersonating domain: cleanmymacpro[.]net, and resulted in a chain of hidden requests. Here’s how the malware is delivered and what tricks are used 👇

Reply on Twitter 1935409328305144215 Retweet on Twitter 1935409328305144215 22 Like on Twitter 1935409328305144215 54 X 1935409328305144215
moonlock_lab Moonlock Lab @moonlock_lab ·
6 Jun

1/5: 🚨 Our team uncovered a #macOS downloader fetching an old #Banshee #stealer sample from an allegedly compromised Kenyan website makeitfilms[.]co[.]ke. Could this be the notorious malware staging a comeback?

Reply on Twitter 1931072547459825996 Retweet on Twitter 1931072547459825996 10 Like on Twitter 1931072547459825996 35 X 1931072547459825996
moonlock_lab Moonlock Lab @moonlock_lab ·
27 May

1/4: Moonlock Lab team notifies about an ongoing campaign involving #Odyssey #macOS #stealer and others utilizing Gatekeeper bypass. Started in early May and has been going on until today. Our analytics system has noticed an anomalous increase in observed samples among our users.

Reply on Twitter 1927450645780365634 Retweet on Twitter 1927450645780365634 10 Like on Twitter 1927450645780365634 35 X 1927450645780365634
moonlock_lab Moonlock Lab @moonlock_lab ·
19 May

1/14: Our team conducted an initial analysis of the #macOS files which might be related to the infrastructure, previously used by Asian #APT groups. Also mentioned today by @malwrhunterteam (). You can see our findings below 👇

MalwareHunterTeam @malwrhunterteam

Downloads a script from here: https://www.appleprocesshub[.]com/fSidEOWW.sh
That is currently this basic stealer script:

Reply on Twitter 1924582988219642081 Retweet on Twitter 1924582988219642081 17 Like on Twitter 1924582988219642081 48 X 1924582988219642081