MioLab MacOS Stealer Expands With ClickFix, Wallet Theft, Team APIs

As Apple’s macOS footprint grows in both consumer and enterprise environments, dedicated infostealers like MioLab (aka Nova) demonstrate that Macs are no longer a niche target but a priority for cybercrime ecosystems.

Marketed as a premium Malware-as-a-Service (MaaS) on Russian-language forums, MioLab combines an evasive macOS binary with a mature web panel, new ClickFix delivery tooling, and deep support for cryptocurrency theft and team automation.

MioLab’s core architecture centers on a lightweight C-based stub of roughly 100 KB, compiled as a Mach-O universal binary for both x86_64 and arm64, with a minimum target of macOS 11.5.

The bundle metadata uses generic identifiers such as “Application” and com.utils.application, helping the malware blend into typical user installations.

MioLab Login page (Source : LevelBlue).
MioLab Login page (Source : LevelBlue).

Internally, the code leans on dynamic string construction and heavy XOR-based runtime decoding, enabling it to hide sensitive commands and URLs until execution time via repeated decode-then-_system() sequences.

According to the report, MioLab, which is heavily advertised on prominent Russian-speaking underground forums, represents a highly commercialized and professional approach to MacOS malware.

On execution, MioLab immediately deploys social-engineering-driven evasion and reconnaissance.

MioLab MacOS Stealer

It prompts victims to right-click and “open” a seemingly legitimate installer, then forcefully terminates Terminal sessions, requests the user’s password via a spoofed System Preferences dialog, and validates credentials using dscl before running system_profiler to profile hardware, software, and display characteristics.

The malware then executes a complex AppleScript FileGrabber workflow via osascript to harvest documents from Desktop, Documents, and Downloads up to a 10 MB cap, relying on Finder-mediated access and macOS TCC prompts.

The stealer’s data-theft capabilities are broad and aggressively tuned for monetization. MioLab systematically enumerates Chromium and Gecko browsers Chrome, Edge, Brave, Opera, Vivaldi, Yandex, Firefox, and forks to extract cookies, passwords, autofill data, Google tokens, and profile artifacts, with specific logic for Yandex data stores.

Recent updates add reliable Safari cookie harvesting, suggesting the developers have found ways to sidestep or abuse macOS transparency and consent controls for Apple’s native browser.

Simultaneously, the malware targets the macOS Keychain, Apple Notes databases, password managers, and messenger clients like Telegram and Discord to consolidate credentials and session tokens.

Cryptocurrency theft remains MioLab’s defining feature. The stealer supports over 200 browser-based wallet extensions, including MetaMask and Trust Wallet, and scans for desktop and node wallets such as Exodus, Electrum variants, Wasabi and Bitcoin-family clients by hunting for wallet.dat, .key, .keys, and associated configuration files.

Stolen information view (Source : LevelBlue).
Stolen information view (Source : LevelBlue).

A premium “universal” hardware-wallet module specifically targets Ledger and Trezor ecosystems, adapting to recent vendor updates and attempting to intercept 24-word BIP39 recovery seed phrases via companion apps like Ledger Live and Trezor Suite.

This combination enables operators to drain both hot and cold wallets at scale.

All collected assets are staged under randomized directories in the macOS temporary folder, where MioLab writes files such as “User Name.txt,” “User Password.txt,” browser dumps, Apple Notes exports, and “User Files” archives.

Once collection is complete, the malware compresses its directory tree into a single ZIP and exfiltrates it using curl POST requests, sending the archive alongside operator-defined identifiers such as user_id and build_tag to its command-and-control API.

Finally, it displays a fake error dialog claiming the Mac does not support the application, nudging victims to believe the program failed to run.

On the infrastructure side, MioLab’s web panel reflects a polished, enterprise-like UX tailored to traffickers and large crimeware teams.

New ClickFix tactic expands MioLab

The dashboard offers granular log sorting, victim search by geography or asset type, and a Google cookie restoration tool that uses stolen tokens and optional proxies to resume victim sessions without passwords or 2FA codes.

Cookie handling UI (Source : LevelBlue).
Cookie handling UI (Source : LevelBlue).

Recent updates emphasize ClickFix automation: operators can generate malicious Terminal commands in one click by entering server details, after which the panel outputs ready-to-paste payloads for fake CAPTCHA or documentation pages.

Dedicated proxy layers allow each build to communicate through isolated infrastructure, complicating takedowns and sinkholing efforts.

The ecosystem behind MioLab benefits from bulletproof hosting infrastructure tied to entities such as FEMO IT Solutions / Defhost, which have been documented as safe havens for malware and phishing operations.

Large teams programmatically generate Unix/DMG builds, download exfiltrated logs, and manage their infrastructure without needing to log into the web interface.

MioLab infection chain (Source : LevelBlue).
MioLab infection chain (Source : LevelBlue).

OSINT shows MioLab’s panel and builder cycling through Cloudflare-fronted domains and underlying IPs, while related infrastructure simultaneously hosts Ethereum airdrop drainers that use parameterized URLs to render real-time token data and trick users into connecting wallets.

This reuse and rotation of infrastructure allows operators to repurpose burned panels as Web3 drainers, squeezing residual value from prior campaigns.

The latest MioLab wave is also riding the broader ClickFix trend that exploits developer trust in command-line tools.

Security researchers have observed malvertising that pushes convincing clones of documentation portals such as fake Claude Code docs where Windows instructions are benign but macOS sections deliver base64-masked curl loaders and Mach-O binaries chained via xattr-clearing commands to bypass Gatekeeper.

These loaders in turn execute XOR-obfuscated secondary payloads via _system(), aligning closely with the obfuscation patterns seen in MioLab’s static analysis.

Defenders should treat MioLab as a representative example of the new macOS infostealer baseline: API-driven, crypto-focused, and tightly integrated with ClickFix social-engineering chains.

Practical mitigations include hardening Terminal usage policies, detecting abuse of utilities like dscl, osascript, system_profiler, and curl by unsigned binaries, and monitoring for anomalous access to browser profiles, Apple Notes data stores, and login.keychain-db.

Blocking known C2 domains and bulletproof-hosting ranges, enforcing strict code-signing, and continuously educating users about drag-to-Terminal and password-harvesting lures are now essential for macOS environments that handle sensitive credentials and cryptocurrency assets.

Related Articles

Back to top button