Moonlock Lab

macOS malware investigations

Moonlock Lab

Latest threat report

Atomic macOS Stealer now includes a backdoor for persistent access: Header image
Atomic macOS Stealer now includes a backdoor for persistent access
Atomic macOS Stealer (AMOS), a popular piece of stealer malware for macOS, has just received a major update. For the first time, it’s being deployed with an embedded backdoor. This change allows attackers...
Jul 4, 2025
12 min read

About Moonlock Lab

Moonlock Lab is a team of security engineers that includes a former cybercrime investigator, a white-hat hacker, and a key figure of an Andy Greenberg book. They detect and study cyber threats daily, beefing up the defenses of Moonlock Engine.


Lab’s researchers have discovered new malware samples and AMOS variants, tracked down stealer developers, and exposed sophisticated malvertising campaigns. Their findings amass thousands of views, get featured in Forbes and Bleeping Computer. And when not chasing cyber threats, our experts hit the stage at RSA Webcast, Virus Bulletin, or Objective for the We.

More About Moonlock
About Moonlock Lab

Previous publications

"Anti-Ledger" malware: The battle for Ledger Live seed phrases: Header image
“Anti-Ledger” malware: The battle for Ledger Live seed phrases
Hackers are increasingly exploiting the trust that crypto owners place in cold wallets, turning the very tools meant to secure assets into attack surfaces. The recent ByBit heist has shaken the crypto industry...
May 22, 2025
10 min read
Realtek or real threat? The macOS malware that won’t quit: Header image
Realtek or real threat? The macOS malware that won’t quit
Suspected North Korean threat actors are targeting macOS users with a recycled — but still dangerous — malware campaign. First spotted in April 2025, this campaign is a subtle evolution of the “Contagious...
May 5, 2025
9 min read
Moonlock 2024 macOS threat report (Header image)
Moonlock’s 2024 macOS threat report
For decades, Apple devices have enjoyed a reputation for being mostly malware-free. However, with a 60 percent increase in market share in the last 3 years alone, macOS has become a prime target...
Dec 3, 2024
14 min read

Experts of Moonlock Lab

Kseniia Yamburh

Kseniia Yamburh

Kseniia is a malware research engineer at Moonlock, the cybersecurity division of MacPaw. She specializes in OSINT intelligence gathering and analysis. Her passion lies in writing about new investigations and findings in the field of cybersecurity.
Mykhailo Hrebeniuk

Mykhailo Hrebeniuk

Mykhailo is a macOS security researcher at Moonlock, the cybersecurity division of MacPaw. He specializes in malware analysis, data analysis, and developing tools. Mykhailo previously worked as a software developer with embedded Linux and networking, focusing on vulnerability research.
Victor Kubashok

Victor Kubashok

Viсtor is a cybersecurity expert at Moonlock, the cybersecurity division of MacPaw. He has over a decade of experience as a malware analyst and ethical hacker, and has contributed to investigating malware used in major cyberattacks on Ukraine.
Mykola N.

Mykola N.

Mykola is a macOS security researcher and malware analyst at Moonlock, the cybersecurity division of MacPaw. With 20 years of experience in several cybersecurity areas, he is a participant of the Apple Security Bounty program and has earned multiple rewards for his reports on macOS vulnerabilities.

Follow Moonlock Lab on X

moonlock_lab Moonlock Lab @moonlock_lab ·
8 Jul

🗞️ We couldn't fit our analysis of a new #AMOS #macOS #backdoor into a thread here, so we published a whole article!
We appreciate @SANSInstitute, @BleepinComputer, and others for sharing it! Give it a read!

Reply on Twitter 1942524364844589264 Retweet on Twitter 1942524364844589264 19 Like on Twitter 1942524364844589264 54 X 1942524364844589264
moonlock_lab Moonlock Lab @moonlock_lab ·
18 Jun

1/8: Our team investigated yet another #macOS #stealer hidden behind a fake CleanMyMac website. It all started with an impersonating domain: cleanmymacpro[.]net, and resulted in a chain of hidden requests. Here’s how the malware is delivered and what tricks are used 👇

Reply on Twitter 1935409328305144215 Retweet on Twitter 1935409328305144215 20 Like on Twitter 1935409328305144215 52 X 1935409328305144215
moonlock_lab Moonlock Lab @moonlock_lab ·
6 Jun

1/5: 🚨 Our team uncovered a #macOS downloader fetching an old #Banshee #stealer sample from an allegedly compromised Kenyan website makeitfilms[.]co[.]ke. Could this be the notorious malware staging a comeback?

Reply on Twitter 1931072547459825996 Retweet on Twitter 1931072547459825996 10 Like on Twitter 1931072547459825996 35 X 1931072547459825996
moonlock_lab Moonlock Lab @moonlock_lab ·
27 May

1/4: Moonlock Lab team notifies about an ongoing campaign involving #Odyssey #macOS #stealer and others utilizing Gatekeeper bypass. Started in early May and has been going on until today. Our analytics system has noticed an anomalous increase in observed samples among our users.

Reply on Twitter 1927450645780365634 Retweet on Twitter 1927450645780365634 10 Like on Twitter 1927450645780365634 35 X 1927450645780365634
moonlock_lab Moonlock Lab @moonlock_lab ·
19 May

1/14: Our team conducted an initial analysis of the #macOS files which might be related to the infrastructure, previously used by Asian #APT groups. Also mentioned today by @malwrhunterteam (). You can see our findings below 👇

MalwareHunterTeam @malwrhunterteam

Downloads a script from here: https://www.appleprocesshub[.]com/fSidEOWW.sh
That is currently this basic stealer script:

Reply on Twitter 1924582988219642081 Retweet on Twitter 1924582988219642081 17 Like on Twitter 1924582988219642081 48 X 1924582988219642081