Moonlock Lab

macOS malware investigations

Moonlock Lab

Latest threat report

About Moonlock Lab

Moonlock Lab is a team of security engineers that includes a former cybercrime investigator, a white-hat hacker, and a key figure of an Andy Greenberg book. They detect and study cyber threats daily, beefing up the defenses of Moonlock Engine.


Lab’s researchers have discovered new malware samples and AMOS variants, tracked down stealer developers, and exposed sophisticated malvertising campaigns. Their findings amass thousands of views, get featured in Forbes and Bleeping Computer. And when not chasing cyber threats, our experts hit the stage at RSA Webcast, Virus Bulletin, or Objective for the We.

More About Moonlock
About Moonlock Lab

Previous publications

Follow Moonlock Lab on X

@g0njxa 6/7: Not the flashiest stealer out there, but it's the cheapest on the market. And now it seems price matters for some traffer teams. mac.c borrows from AMOS but carves its own niche in the macOS infostealer scene.

1/7: Our fellow researcher @g0njxa shared juicy info with us: a real #ClickFix-style find! A fake "Installation Instructions" pop-up pushes users to run a malicious bash command via Terminal. We couldn’t resist checking it, and what we uncovered? A multi-stage #macOS #stealer 👇

1/4: Earlier this month, our team published an article dissecting a new #backdoor variant hidden inside the #AMOS #macOS malware. Since then, we've observed a sharp 300% increase in detected AMOS samples targeting our users. Let us explain why it matters 👇

MacPaw’s Moonlock team at Objective by the Sea #OBTS v8.0!
This October, Kseniia and Nazar will speak at the world’s leading macOS/iOS security conference — #OBTS v8.0, held in Ibiza 🌴

They’ll share how we uncover real macOS threats using unique data and hands-on threat hunting…

🗞️ We couldn't fit our analysis of a new #AMOS #macOS #backdoor into a thread here, so we published a whole article!
We appreciate @SANSInstitute, @BleepinComputer, and others for sharing it! Give it a read!

1/8: Our team investigated yet another #macOS #stealer hidden behind a fake CleanMyMac website. It all started with an impersonating domain: cleanmymacpro[.]net, and resulted in a chain of hidden requests. Here’s how the malware is delivered and what tricks are used 👇

1/5: 🚨 Our team uncovered a #macOS downloader fetching an old #Banshee #stealer sample from an allegedly compromised Kenyan website makeitfilms[.]co[.]ke. Could this be the notorious malware staging a comeback?

1/4: Moonlock Lab team notifies about an ongoing campaign involving #Odyssey #macOS #stealer and others utilizing Gatekeeper bypass. Started in early May and has been going on until today. Our analytics system has noticed an anomalous increase in observed samples among our users.

1/14: Our team conducted an initial analysis of the #macOS files which might be related to the infrastructure, previously used by Asian #APT groups. Also mentioned today by @malwrhunterteam (). You can see our findings below 👇

MalwareHunterTeam @malwrhunterteam

Downloads a script from here: https://www.appleprocesshub[.]com/fSidEOWW.sh
That is currently this basic stealer script: