Moonlock Lab

macOS malware investigations

Moonlock Lab

Latest threat report

Notorious hacker returns with a new macOS stealer targeting $10K+ crypto wallets: Header image

Notorious hacker returns with a new Mac stealer targeting $10K+ crypto wallets

In 2023, a malware developer named 0xFFF rage-quit one of the most prominent underground hacking forums, leaving behind accusations and bad blood. In August 2024, 0xFFF came back under a new alias, alh1mik,...
Apr 8, 2026
17 min read

About Moonlock Lab

Moonlock Lab is a team of security engineers that includes a former cybercrime investigator, a white-hat hacker, and a key figure of an Andy Greenberg book. They detect and study cyber threats daily, beefing up the defenses of Moonlock Engine.


Lab’s researchers have discovered new malware samples and AMOS variants, tracked down stealer developers, and exposed sophisticated malvertising campaigns. Their findings amass thousands of views, get featured in Forbes and Bleeping Computer. And when not chasing cyber threats, our experts hit the stage at RSA Webcast, Virus Bulletin, or Objective for the We.

More About Moonlock
About Moonlock Lab

Previous publications

Fake VCs target crypto talent in a new ClickFix campaig header

Fake VCs target crypto talent in a new ClickFix campaign

In a new investigation, Moonlock Lab has been tracking a malware campaign targeting cryptocurrency and Web3 professionals. The threat actors operate through fabricated venture capital identities, engage victims on LinkedIn with tailored job...
Mar 2, 2026
15 min read
6 key trends to watch in macOS malware in 2026: Header image

6 key trends to watch in macOS malware in 2026

What we’re seeing in macOS malware development is a reflection of how cybercrime itself evolves. As security ecosystems mature, threat actors are creating malware that is more efficient and more resilient than ever...
Feb 3, 2026
9 min read
Moonlock's 2025 macOS threat report: Header image

Moonlock’s 2025 macOS threat report

For the second year in a row, MacPaw’s Moonlock Lab is sharing observations, research findings, and trends in macOS malware over the past year. This time, we focus less on the technical side of...
Dec 3, 2025
20 min read

Experts of Moonlock Lab

Kseniia Yamburh

Kseniia Yamburh

Kseniia is a malware research engineer at Moonlock, the cybersecurity division of MacPaw. She specializes in OSINT intelligence gathering and analysis. Her passion lies in writing about new investigations and findings in the field of cybersecurity.
Mykhailo Hrebeniuk

Mykhailo Hrebeniuk

Mykhailo is a macOS security researcher at Moonlock, the cybersecurity division of MacPaw. He specializes in malware analysis, data analysis, and developing tools. Mykhailo previously worked as a software developer with embedded Linux and networking, focusing on vulnerability research.
Victor Kubashok

Victor Kubashok

Viсtor is a cybersecurity expert at Moonlock, the cybersecurity division of MacPaw. He has over a decade of experience as a malware analyst and ethical hacker, and has contributed to investigating malware used in major cyberattacks on Ukraine.
Mykola N.

Mykola N.

Mykola is a macOS security researcher and malware analyst at Moonlock, the cybersecurity division of MacPaw. With 20 years of experience in several cybersecurity areas, he is a participant of the Apple Security Bounty program and has earned multiple rewards for his reports on macOS vulnerabilities.
Oleh K.

Oleh K.

Oleh is a reverse engineer at Moonlock, the cybersecurity division of MacPaw. He specializies in reverse engineering, debugging, and bypassing malware obfuscation and protection mechanisms.
Mykhailo Pazyniuk

Mykhailo Pazyniuk

Mykhailo is a malware research engineer at Moonlock, the cybersecurity division of MacPaw. He specializes in tracking threat groups, and currently works as a research engineer, overseeing malware campaigns, reporting on threat actor activity, and classifying emerging malware families.
Lab making headlines
Macworld media logo
Complete list of Mac viruses, malware and trojans
A list features Unnamed Downloader, Poseidon, and PyStealer that Moonlock Lab has discovered in the wild.
Feb 5, 2025
CSO media logo
Is the tide turning on macOS security?
Moonlock's threat report reveals disturbing trends that are turning Apple’s platform into a lucrative target for cybercriminals.
Dec 5, 2024
apple insider media logo
What a new threat report says about Mac malware in 2024
Moonlock Lab examines attackers' evolving tactics, from cheap, plug-and-play malware kits to sophisticated AI-generated exploits.
Dec 4, 2024
hackernoon media logo
Tracking Atomic Stealer on macOS: sophisticated malware replacing Ledger Live app
Here’s how Moonlock Lab obtained and analyzed a version of Atomic Stealer that primarily targets the Ledger Live app.
Aug 24, 2024

Follow Moonlock Lab on X

moonlock_lab Moonlock Lab @moonlock_lab ·
20 May

Here is another related sample with the same TeamID and Signature, first seen in March this year, and detected as Cobaltstrike on VT:
b62756002243678c0017f464c71379a41fced350ad57566fa8322d0d023d51dd
The earliest one we managed to find is this one, from December 2025:

L0Psec @L0Psec

Here's two potentially interesting ones shared by @malwrhunterteam. They have many adaptixC2 detections BUT were signed. com.shizhuang.itrustd. Several other files have this signature.
🧵

Reply on Twitter 2057030254129004746 Retweet on Twitter 2057030254129004746 6 Like on Twitter 2057030254129004746 21 X 2057030254129004746
moonlock_lab Moonlock Lab @moonlock_lab ·
15 May

1/ We spotted three macOS stealer samples on VirusTotal - fresh enough that they're still at 0/72 a week after upload. Known malware family being delivered as a fake build of Codex for Mac. Sharing what we pulled out 🧵

3

Reply on Twitter 2055357041883918413 Retweet on Twitter 2055357041883918413 20 Like on Twitter 2055357041883918413 68 X 2055357041883918413
moonlock_lab Moonlock Lab @moonlock_lab ·
12 May

1/🚨 New stealer sample on #macOS, with codebase related to #Banshee variants. No code signature. Only one detection on VirusTotal at time of analysis. Shared by @malwrhunterteam.

It disguises itself as a "System and filesystem monitor daemon" and goes straight for crypto

Reply on Twitter 2054243242628051309 Retweet on Twitter 2054243242628051309 15 Like on Twitter 2054243242628051309 54 X 2054243242628051309
moonlock_lab Moonlock Lab @moonlock_lab ·
6 May

UPD: Our previous post had visual inconsistencies, so we decided to re-upload it with the correct imagery.

1/ We're tracking new #Odyssey #macOS #stealer activity, and this one comes with a twist in delivery: the malicious script is embedded directly into a PLIST file.
Key

Reply on Twitter 2052035531656044812 Retweet on Twitter 2052035531656044812 5 Like on Twitter 2052035531656044812 25 X 2052035531656044812
moonlock_lab Moonlock Lab @moonlock_lab ·
27 Apr

1/ℹ️We found a fully-featured macOS #RAT that zero AV vendors detected at the time of discovery.

Meet "3Crypt RAT/C2 Capability Tester" - a #macOS binary with deep recon, persistence, evasion, and lateral movement capabilities.

No real C2 infra. But don't let that fool you. 👇

Reply on Twitter 2048758820587872557 Retweet on Twitter 2048758820587872557 18 Like on Twitter 2048758820587872557 69 X 2048758820587872557
moonlock_com Moonlock by MacPaw @moonlock_com ·
22 Apr

Ever seen a malware dev just… come back?

A known macOS threat actor resurfaced under a new identity — now behind a stealer called notnullOSX.

It’s already active, evolving, and targeting high-value data.

Feels like macOS threats are getting a lot more persistent lately.

Reply on Twitter 2047054631596085449 Retweet on Twitter 2047054631596085449 4 Like on Twitter 2047054631596085449 23 X 2047054631596085449
moonlock_lab Moonlock Lab @moonlock_lab ·
20 Apr

🔴1/ We've spotted in-the-wild usage of #Overlord RAT - a Go-based remote access trojan targeting #macOS.
Binary was found and shared by @malwrhunterteam.
First detections: South Korea.
This one has HVNC, process injection and browser hijacking capabilities. More below 👇

Reply on Twitter 2046259827714760776 Retweet on Twitter 2046259827714760776 9 Like on Twitter 2046259827714760776 50 X 2046259827714760776
objective_see Objective-See Foundation @objective_see ·
14 Apr

New research from our friends/supporters @MacPaw / @moonlock_lab 👏

🍎👾🔬 New macOS stealer “notnullosx”: Go-based, modular, and going after everything from browser creds to crypto wallets.

Read:

Reply on Twitter 2044161112875381184 Retweet on Twitter 2044161112875381184 9 Like on Twitter 2044161112875381184 37 X 2044161112875381184
moonlock_lab Moonlock Lab @moonlock_lab ·
6 Apr

1/ A trusted package with massive reach briefly became a malware delivery channel, and we’re currently tracking a spike in #Waveshaper across 19 countries, including the US, Canada, Australia, and parts of Asia.
The recent Axios npm compromise shows how a single supply-chain

Reply on Twitter 2041184794038473136 Retweet on Twitter 2041184794038473136 6 Like on Twitter 2041184794038473136 26 X 2041184794038473136
moonlock_com Moonlock by MacPaw @moonlock_com ·
25 Mar

Kseniia Yamburh @osint_barbie has been named “Cybersecurity Woman of the Year” at the 2026 Cybersecurity Excellence Awards!
As a Malware Research Engineer at Moonlock by MacPaw, Kseniia spends her days hunting down macOS threats and sharing her intelligence with the broader

Reply on Twitter 2036760173314728125 Retweet on Twitter 2036760173314728125 2 Like on Twitter 2036760173314728125 28 X 2036760173314728125
moonlock_lab Moonlock Lab @moonlock_lab ·
19 Mar

1/ New #macOS samples, 0 detections on VT as of writing, but multiple artifacts suggest Sliver-like HTTP(S) C2. Shared by @malwrhunterteam.
What stood out: procedural URL patterns, PNG-wrapped network payloads, no plaintext IOCs, and wazero/WASM-related execution. More below👇

Reply on Twitter 2034679020730626139 Retweet on Twitter 2034679020730626139 12 Like on Twitter 2034679020730626139 49 X 2034679020730626139