Moonlock Lab

macOS malware investigations

Moonlock Lab

Latest threat report

Mac.c stealer evolves into MacSync: Now with a backdoor: Header image

Mac.c stealer evolves into MacSync: Now with a backdoor

In April 2025, a new macOS stealer developer emerged under the alias “mentalpositive.” Their stealer, mac.c, wasn’t sophisticated. It wasn’t particularly stealthy or feature-rich at launch, either. However, it did have one important...
Sep 12, 2025
7 min read

About Moonlock Lab

Moonlock Lab is a team of security engineers that includes a former cybercrime investigator, a white-hat hacker, and a key figure of an Andy Greenberg book. They detect and study cyber threats daily, beefing up the defenses of Moonlock Engine.


Lab’s researchers have discovered new malware samples and AMOS variants, tracked down stealer developers, and exposed sophisticated malvertising campaigns. Their findings amass thousands of views, get featured in Forbes and Bleeping Computer. And when not chasing cyber threats, our experts hit the stage at RSA Webcast, Virus Bulletin, or Objective for the We.

More About Moonlock
About Moonlock Lab

Previous publications

Atomic macOS Stealer now includes a backdoor for persistent access: Header image

Atomic macOS Stealer now includes a backdoor for persistent access

Atomic macOS Stealer (AMOS), a popular piece of stealer malware for macOS, has just received a major update. For the first time, it’s being deployed with an embedded backdoor. This change allows attackers...
Jul 4, 2025
12 min read
"Anti-Ledger" malware: The battle for Ledger Live seed phrases: Header image

“Anti-Ledger” malware: The battle for Ledger Live seed phrases

Hackers are increasingly exploiting the trust that crypto owners place in cold wallets, turning the very tools meant to secure assets into attack surfaces. The recent ByBit heist has shaken the crypto industry...
May 22, 2025
10 min read
Realtek or real threat? The macOS malware that won’t quit: Header image

Realtek or real threat? The macOS malware that won’t quit

Suspected North Korean threat actors are targeting macOS users with a recycled — but still dangerous — malware campaign. First spotted in April 2025, this campaign is a subtle evolution of the “Contagious...
May 5, 2025
9 min read

Experts of Moonlock Lab

Kseniia Yamburh

Kseniia Yamburh

Kseniia is a malware research engineer at Moonlock, the cybersecurity division of MacPaw. She specializes in OSINT intelligence gathering and analysis. Her passion lies in writing about new investigations and findings in the field of cybersecurity.
Mykhailo Hrebeniuk

Mykhailo Hrebeniuk

Mykhailo is a macOS security researcher at Moonlock, the cybersecurity division of MacPaw. He specializes in malware analysis, data analysis, and developing tools. Mykhailo previously worked as a software developer with embedded Linux and networking, focusing on vulnerability research.
Victor Kubashok

Victor Kubashok

Viсtor is a cybersecurity expert at Moonlock, the cybersecurity division of MacPaw. He has over a decade of experience as a malware analyst and ethical hacker, and has contributed to investigating malware used in major cyberattacks on Ukraine.
Mykola N.

Mykola N.

Mykola is a macOS security researcher and malware analyst at Moonlock, the cybersecurity division of MacPaw. With 20 years of experience in several cybersecurity areas, he is a participant of the Apple Security Bounty program and has earned multiple rewards for his reports on macOS vulnerabilities.
Oleh K.

Oleh K.

Oleh is a reverse engineer at Moonlock, the cybersecurity division of MacPaw. He specializies in reverse engineering, debugging, and bypassing malware obfuscation and protection mechanisms.
Mykhailo Pazyniuk

Mykhailo Pazyniuk

Mykhailo is a malware research engineer at Moonlock, the cybersecurity division of MacPaw. He specializes in tracking threat groups, and currently works as a research engineer, overseeing malware campaigns, reporting on threat actor activity, and classifying emerging malware families.
Lab making headlines
Macworld media logo
Complete list of Mac viruses, malware and trojans
A list features Unnamed Downloader, Poseidon, and PyStealer that Moonlock Lab has discovered in the wild.
Feb 5, 2025
CSO media logo
Is the tide turning on macOS security?
Moonlock's threat report reveals disturbing trends that are turning Apple’s platform into a lucrative target for cybercriminals.
Dec 5, 2024
apple insider media logo
What a new threat report says about Mac malware in 2024
Moonlock Lab examines attackers' evolving tactics, from cheap, plug-and-play malware kits to sophisticated AI-generated exploits.
Dec 4, 2024
hackernoon media logo
Tracking Atomic Stealer on macOS: sophisticated malware replacing Ledger Live app
Here’s how Moonlock Lab obtained and analyzed a version of Atomic Stealer that primarily targets the Ledger Live app.
Aug 24, 2024

Follow Moonlock Lab on X

moonlock_lab Moonlock Lab @moonlock_lab ·
3 Nov

🔎 Seems like #Odyssey #macOS stealer crossed our upper tolerance band for the average detection rate on Nov 1st, indicating an active campaign.
Geography suggests the spread is global, with visible clusters in India, the US, APAC, and parts of Europe.

Missed our latest…

2

Reply on Twitter 1985409070422257871 Retweet on Twitter 1985409070422257871 3 Like on Twitter 1985409070422257871 26 X 1985409070422257871
moonlock_lab Moonlock Lab @moonlock_lab ·
29 Oct

1/ Sometimes the best hunts start with a simple share. A few strings from an updated #MacSync #macOS malware, dropped casually by @g0njxa, led us to the FUD file, which appears to be a dropper 👇

Reply on Twitter 1983549660297101668 Retweet on Twitter 1983549660297101668 11 Like on Twitter 1983549660297101668 51 X 1983549660297101668
moonlock_lab Moonlock Lab @moonlock_lab ·
28 Oct

It's amazing to see our work come to life!
At Moonlock Lab, we dig deep into macOS malware. Now, with the Moonlock app by @MacPaw, that deep technical insight is turning into real, easy-to-use security for everyone. We hope you feel safer! 🔒

Reply on Twitter 1983162768288256484 Retweet on Twitter 1983162768288256484 2 Like on Twitter 1983162768288256484 13 X 1983162768288256484
moonlock_lab Moonlock Lab @moonlock_lab ·
21 Oct

cc @patrickwardle @g0njxa @arinwaichulis @philofishal @L0Psec @shablolForce @theevilbit @theJoshMeister @DefSecSentinel @bruce_k3tta @birchb0y @RussianPanda9xx @txhaflaire @AndreGironda @500mk500 @suyog41 @NietzscheLab

Reply on Twitter 1980686727804334567 Retweet on Twitter 1980686727804334567 Like on Twitter 1980686727804334567 8 X 1980686727804334567
moonlock_lab Moonlock Lab @moonlock_lab ·
21 Oct

1/ Recently @malwrhunterteam shared an interesting sample with our team, which we initially didn’t believe to be such a rabbit hole. However, it turned out to be a multi-staged, crossplatform, and likely targeted #DPRK campaign. During our research we also highlighted some…

Reply on Twitter 1980683916571996312 Retweet on Twitter 1980683916571996312 19 Like on Twitter 1980683916571996312 50 X 1980683916571996312
moonlock_lab Moonlock Lab @moonlock_lab ·
17 Oct

Seems like #crypto #phishing won’t go away anytime soon .. A few days ago our team found a (yet) undetected sample on VirusTotal, and decided to tell you more about it 🔍

The sample itself does not contain any significantly malicious functions except for showing some web-loaded…

3

Reply on Twitter 1979209275043168317 Retweet on Twitter 1979209275043168317 4 Like on Twitter 1979209275043168317 18 X 1979209275043168317
moonlock_lab Moonlock Lab @moonlock_lab ·
14 Oct

A few days ago our team started a minor research around the domains used by #Odyssey #stealer. The one we would like to highlight today is franceparfumes[.]org, also mentioned by @suyog41.

It caught our attention because of an unusual name, which hints to either a previously…

4

Reply on Twitter 1978113577883238624 Retweet on Twitter 1978113577883238624 11 Like on Twitter 1978113577883238624 38 X 1978113577883238624
osint_barbie xiu @osint_barbie ·
12 Oct

Today we are having fun tackling Mac malware with the boss @patrickwardle 🫡😍
#OBTS v8.0

@objective_see 🫶

Reply on Twitter 1977328001948987850 Retweet on Twitter 1977328001948987850 6 Like on Twitter 1977328001948987850 55 X 1977328001948987850
moonlock_lab Moonlock Lab @moonlock_lab ·
16 Sep

🕵️macOS threats are leveling up! The rebranded MacSync Stealer (formerly mac.c by “mentalpositive”) has moved to a stealthy, Go-based backdoor, quieter than AMOS, enabling full remote control beyond mere data theft.
See details on hands-on-keyboard remote control on macOS…

Reply on Twitter 1968010494930981020 Retweet on Twitter 1968010494930981020 20 Like on Twitter 1968010494930981020 80 X 1968010494930981020
moonlock_lab Moonlock Lab @moonlock_lab ·
4 Sep

1/7: Huge kudos to Mosyle for the original catch and to @9to5mac for spreading the word (http://bit.ly/4lZHfK2). Our Lab couldn't help but hunt related JSCoreRunner activity, and we (sadly) saw multiple hits among our users. Our heat map shows the most impact in the US and UK.

Reply on Twitter 1963616720846807052 Retweet on Twitter 1963616720846807052 12 Like on Twitter 1963616720846807052 32 X 1963616720846807052