Moonlock Lab

macOS malware investigations

Moonlock Lab

Latest threat report

About Moonlock Lab

Moonlock Lab is a team of security engineers that includes a former cybercrime investigator, a white-hat hacker, and a key figure of an Andy Greenberg book. They detect and study cyber threats daily, beefing up the defenses of Moonlock Engine.


Lab’s researchers have discovered new malware samples and AMOS variants, tracked down stealer developers, and exposed sophisticated malvertising campaigns. Their findings amass thousands of views, get featured in Forbes and Bleeping Computer. And when not chasing cyber threats, our experts hit the stage at RSA Webcast, Virus Bulletin, or Objective for the We.

More About Moonlock
About Moonlock Lab

Previous publications

Follow Moonlock Lab on X

🗞️ We couldn't fit our analysis of a new #AMOS #macOS #backdoor into a thread here, so we published a whole article!
We appreciate @SANSInstitute, @BleepinComputer, and others for sharing it! Give it a read!

1/8: Our team investigated yet another #macOS #stealer hidden behind a fake CleanMyMac website. It all started with an impersonating domain: cleanmymacpro[.]net, and resulted in a chain of hidden requests. Here’s how the malware is delivered and what tricks are used 👇

1/5: 🚨 Our team uncovered a #macOS downloader fetching an old #Banshee #stealer sample from an allegedly compromised Kenyan website makeitfilms[.]co[.]ke. Could this be the notorious malware staging a comeback?

1/4: Moonlock Lab team notifies about an ongoing campaign involving #Odyssey #macOS #stealer and others utilizing Gatekeeper bypass. Started in early May and has been going on until today. Our analytics system has noticed an anomalous increase in observed samples among our users.

1/14: Our team conducted an initial analysis of the #macOS files which might be related to the infrastructure, previously used by Asian #APT groups. Also mentioned today by @malwrhunterteam (). You can see our findings below 👇

MalwareHunterTeam @malwrhunterteam

Downloads a script from here: https://www.appleprocesshub[.]com/fSidEOWW.sh
That is currently this basic stealer script: