A new malware threat targeting macOS users has emerged on underground cybercrime forums, with threat actors marketing a sophisticated information-stealing tool called “MioLab MacOS.”
This resident infostealer comes equipped with a web-based control panel and customizable settings, making it an attractive option for cybercriminals looking to compromise Apple devices.
The malware is being advertised as a subscription service, highlighting the growing trend of Malware-as-a-Service (MaaS) operations that lower the entry barrier for attackers.
The seller claims that MioLab MacOS can extract sensitive information from browsers, password managers, cryptocurrency wallets, and even Apple’s Keychain system.
With support for over 200 crypto wallet extensions, including MetaMask and Trust Wallet, the malware poses a serious risk to digital asset holders.
Additionally, it targets more than 15 password management applications, such as LastPass, putting stored credentials at significant risk.
The malware also features a FileGrabber with custom filtering rules and can collect files with specific extensions like .dat, .key, and .keys from over 50 cold wallet applications.
KrakenLabs researchers identified this threat circulating on underground forums where the developer actively promotes the subscription model.
The pricing structure includes a monthly subscription fee of $750 USD and an additional one-time payment of $500 USD for specialized Ledger and Trezor hardware wallet modules.
The seller also offers percentage-based deals for high-volume cybercriminals, indicating a business-oriented approach to malware distribution.
The malware’s data collection capabilities extend beyond financial information. It can steal browser cookies, passwords, browsing history, and autofill data from both Chromium and Gecko-based browsers.
.webp "Threat Actors Advertising 'MioLab MacOS' Infostealer on an Underground Forum 3")
MioLab MacOS also captures Google authentication tokens, enabling attackers to bypass security measures and gain persistent access to victim accounts.
Furthermore, it performs complete device profiling to gather system information and can extract content from Apple Notes, potentially revealing personal and business-related information.
Data Exfiltration and Command Infrastructure
MioLab MacOS uses Telegram bot integration for stolen data transmission, allowing attackers to receive notifications and manage compromised information through an encrypted messaging platform.
The malware features a centralized web panel that provides threat actors with log management capabilities and real-time monitoring of infected devices.
This infrastructure enables operators to organize stolen credentials, financial data, and personal information efficiently.
The combination of Telegram exfiltration and web-based administration creates a reliable command and control system that helps attackers maintain operational security while managing multiple victims simultaneously.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
