Moonlock Lab

macOS malware investigations

Moonlock Lab

Latest threat report

About Moonlock Lab

Moonlock Lab is a team of security engineers that includes a former cybercrime investigator, a white-hat hacker, and a key figure of an Andy Greenberg book. They detect and study cyber threats daily, beefing up the defenses of Moonlock Engine.


Lab’s researchers have discovered new malware samples and AMOS variants, tracked down stealer developers, and exposed sophisticated malvertising campaigns. Their findings amass thousands of views, get featured in Forbes and Bleeping Computer. And when not chasing cyber threats, our experts hit the stage at RSA Webcast, Virus Bulletin, or Objective for the We.

More About Moonlock
About Moonlock Lab

Previous publications

Experts of Moonlock Lab

Follow Moonlock Lab on X

1/ New #macOS (crossplatform) sample: a full-featured remote access trojan masquerading as MicrosoftSystem64 and using #huggingface legitimate infrastructure for its C2 activities. JavaScript payload + RAT inside a Mach-O binary. Findings below 👇

Kseniia Yamburh from MacPaw will be speaking at Virus Bulletin 2026 @virusbtn , one of the long-running international conferences for malware research and threat intelligence together with Joan Garcia.

Their talk, “Mac&Cheese: cooking up the Digit Stealer recipe,” dives into a

1/ Yet another #FUD #macOS sample on our radar - a full-feature credential stealer with backdoor + injection capabilities for Mac. Has not been detected on VT since April. Findings below 👇

1/ A new #macOS #stealer in the wild, analyzed after being spotted by @malwrhunterteam🚨
A Rust-compiled, universal (x86_64 + arm64) infostealer targeting passwords, Keychain, browser data, Telegram, hardware wallets, and Apple Notes - all in one binary. It’s also different from

The day has come - Moonlock Lab now has a Discord 🤩

If you've been lurking our research for a while, this is a good excuse to say hi.

To kick it off, we're giving away 4 books by @patrickwardle - 'The Art of Mac Malware'.

To participate in our Giveaway:
• Join the server:

Here is another related sample with the same TeamID and Signature, first seen in March this year, and detected as Cobaltstrike on VT:
b62756002243678c0017f464c71379a41fced350ad57566fa8322d0d023d51dd
The earliest one we managed to find is this one, from December 2025:

L0Psec @L0Psec

Here's two potentially interesting ones shared by @malwrhunterteam. They have many adaptixC2 detections BUT were signed. com.shizhuang.itrustd. Several other files have this signature.
🧵

1/ We spotted three macOS stealer samples on VirusTotal - fresh enough that they're still at 0/72 a week after upload. Known malware family being delivered as a fake build of Codex for Mac. Sharing what we pulled out 🧵

3

1/🚨 New stealer sample on #macOS, with codebase related to #Banshee variants. No code signature. Only one detection on VirusTotal at time of analysis. Shared by @malwrhunterteam.

It disguises itself as a "System and filesystem monitor daemon" and goes straight for crypto

UPD: Our previous post had visual inconsistencies, so we decided to re-upload it with the correct imagery.

1/ We're tracking new #Odyssey #macOS #stealer activity, and this one comes with a twist in delivery: the malicious script is embedded directly into a PLIST file.
Key

1/ℹ️We found a fully-featured macOS #RAT that zero AV vendors detected at the time of discovery.

Meet "3Crypt RAT/C2 Capability Tester" - a #macOS binary with deep recon, persistence, evasion, and lateral movement capabilities.

No real C2 infra. But don't let that fool you. 👇

Ever seen a malware dev just… come back?

A known macOS threat actor resurfaced under a new identity — now behind a stealer called notnullOSX.

It’s already active, evolving, and targeting high-value data.

Feels like macOS threats are getting a lot more persistent lately.

🔴1/ We've spotted in-the-wild usage of #Overlord RAT - a Go-based remote access trojan targeting #macOS.
Binary was found and shared by @malwrhunterteam.
First detections: South Korea.
This one has HVNC, process injection and browser hijacking capabilities. More below 👇