A list features Unnamed Downloader, Poseidon, and PyStealer that Moonlock Lab has discovered in the wild.
Feb 5, 2025
Moonlock Lab
Latest threat report
Mac.c stealer evolves into MacSync: Now with a backdoor
In April 2025, a new macOS stealer developer emerged under the alias “mentalpositive.” Their stealer, mac.c, wasn’t sophisticated. It wasn’t particularly stealthy or feature-rich at launch, either. However, it did have one important...
Sep 12, 2025
7 min read
About Moonlock Lab
Moonlock Lab is a team of security engineers that includes a former cybercrime investigator, a white-hat hacker, and a key figure of an Andy Greenberg book. They detect and study cyber threats daily, beefing up the defenses of Moonlock Engine.
Lab’s researchers have discovered new malware samples and AMOS variants, tracked down stealer developers, and exposed sophisticated malvertising campaigns. Their findings amass thousands of views, get featured in Forbes and Bleeping Computer. And when not chasing cyber threats, our experts hit the stage at RSA Webcast, Virus Bulletin, or Objective for the We.
More About Moonlock
Previous publications
Atomic macOS Stealer now includes a backdoor for persistent access
Atomic macOS Stealer (AMOS), a popular piece of stealer malware for macOS, has just received a major update. For the first time, it’s being deployed with an embedded backdoor. This change allows attackers...
Jul 4, 2025
12 min read
“Anti-Ledger” malware: The battle for Ledger Live seed phrases
Hackers are increasingly exploiting the trust that crypto owners place in cold wallets, turning the very tools meant to secure assets into attack surfaces. The recent ByBit heist has shaken the crypto industry...
May 22, 2025
10 min read
Realtek or real threat? The macOS malware that won’t quit
Suspected North Korean threat actors are targeting macOS users with a recycled — but still dangerous — malware campaign. First spotted in April 2025, this campaign is a subtle evolution of the “Contagious...
May 5, 2025
9 min read
Experts of Moonlock Lab
Lab making headlines
Moonlock's threat report reveals disturbing trends that are turning Apple’s platform into a lucrative target for cybercriminals.
Dec 5, 2024
Moonlock Lab examines attackers' evolving tactics, from cheap, plug-and-play malware kits to sophisticated AI-generated exploits.
Dec 4, 2024
Here’s how Moonlock Lab obtained and analyzed a version of Atomic Stealer that primarily targets the Ledger Live app.
Aug 24, 2024
Follow Moonlock Lab on X
cc @patrickwardle @g0njxa @arinwaichulis @philofishal @L0Psec @shablolForce @theevilbit @theJoshMeister @DefSecSentinel @bruce_k3tta @birchb0y @RussianPanda9xx @txhaflaire @AndreGironda @500mk500 @suyog41 @NietzscheLab
Seems like #crypto #phishing won’t go away anytime soon .. A few days ago our team found a (yet) undetected sample on VirusTotal, and decided to tell you more about it 🔍
The sample itself does not contain any significantly malicious functions except for showing some web-loaded…
A few days ago our team started a minor research around the domains used by #Odyssey #stealer. The one we would like to highlight today is franceparfumes[.]org, also mentioned by @suyog41.
It caught our attention because of an unusual name, which hints to either a previously…
Today we are having fun tackling Mac malware with the boss @patrickwardle 🫡😍
#OBTS v8.0
@objective_see 🫶
🕵️macOS threats are leveling up! The rebranded MacSync Stealer (formerly mac.c by “mentalpositive”) has moved to a stealthy, Go-based backdoor, quieter than AMOS, enabling full remote control beyond mere data theft.
See details on hands-on-keyboard remote control on macOS…
New macOS Stealer "Mac.C" by mentalpositive 🍎👾
Read "Mac.c Stealer Takes on AMOS" (by @moonlock_com / @MacPaw)