Moonlock Lab

macOS malware investigations

Moonlock Lab

Latest threat report

Moonlock's 2025 macOS threat report: Header image

Moonlock’s 2025 macOS threat report

For the second year in a row, MacPaw’s Moonlock Lab is sharing observations, research findings, and trends in macOS malware over the past year. This time, we focus less on the technical side of...
Dec 3, 2025
20 min read

About Moonlock Lab

Moonlock Lab is a team of security engineers that includes a former cybercrime investigator, a white-hat hacker, and a key figure of an Andy Greenberg book. They detect and study cyber threats daily, beefing up the defenses of Moonlock Engine.


Lab’s researchers have discovered new malware samples and AMOS variants, tracked down stealer developers, and exposed sophisticated malvertising campaigns. Their findings amass thousands of views, get featured in Forbes and Bleeping Computer. And when not chasing cyber threats, our experts hit the stage at RSA Webcast, Virus Bulletin, or Objective for the We.

More About Moonlock
About Moonlock Lab

Previous publications

Mac.c stealer evolves into MacSync: Now with a backdoor: Header image

Mac.c stealer evolves into MacSync: Now with a backdoor

In April 2025, a new macOS stealer developer emerged under the alias “mentalpositive.” Their stealer, mac.c, wasn’t sophisticated. It wasn’t particularly stealthy or feature-rich at launch, either. However, it did have one important...
Sep 12, 2025
7 min read
Atomic macOS Stealer now includes a backdoor for persistent access: Header image

Atomic macOS Stealer now includes a backdoor for persistent access

Atomic macOS Stealer (AMOS), a popular piece of stealer malware for macOS, has just received a major update. For the first time, it’s being deployed with an embedded backdoor. This change allows attackers...
Jul 4, 2025
12 min read
"Anti-Ledger" malware: The battle for Ledger Live seed phrases: Header image

“Anti-Ledger” malware: The battle for Ledger Live seed phrases

Hackers are increasingly exploiting the trust that crypto owners place in cold wallets, turning the very tools meant to secure assets into attack surfaces. The recent ByBit heist has shaken the crypto industry...
May 22, 2025
10 min read

Experts of Moonlock Lab

Kseniia Yamburh

Kseniia Yamburh

Kseniia is a malware research engineer at Moonlock, the cybersecurity division of MacPaw. She specializes in OSINT intelligence gathering and analysis. Her passion lies in writing about new investigations and findings in the field of cybersecurity.
Mykhailo Hrebeniuk

Mykhailo Hrebeniuk

Mykhailo is a macOS security researcher at Moonlock, the cybersecurity division of MacPaw. He specializes in malware analysis, data analysis, and developing tools. Mykhailo previously worked as a software developer with embedded Linux and networking, focusing on vulnerability research.
Victor Kubashok

Victor Kubashok

Viсtor is a cybersecurity expert at Moonlock, the cybersecurity division of MacPaw. He has over a decade of experience as a malware analyst and ethical hacker, and has contributed to investigating malware used in major cyberattacks on Ukraine.
Mykola N.

Mykola N.

Mykola is a macOS security researcher and malware analyst at Moonlock, the cybersecurity division of MacPaw. With 20 years of experience in several cybersecurity areas, he is a participant of the Apple Security Bounty program and has earned multiple rewards for his reports on macOS vulnerabilities.
Oleh K.

Oleh K.

Oleh is a reverse engineer at Moonlock, the cybersecurity division of MacPaw. He specializies in reverse engineering, debugging, and bypassing malware obfuscation and protection mechanisms.
Mykhailo Pazyniuk

Mykhailo Pazyniuk

Mykhailo is a malware research engineer at Moonlock, the cybersecurity division of MacPaw. He specializes in tracking threat groups, and currently works as a research engineer, overseeing malware campaigns, reporting on threat actor activity, and classifying emerging malware families.
Lab making headlines
Macworld media logo
Complete list of Mac viruses, malware and trojans
A list features Unnamed Downloader, Poseidon, and PyStealer that Moonlock Lab has discovered in the wild.
Feb 5, 2025
CSO media logo
Is the tide turning on macOS security?
Moonlock's threat report reveals disturbing trends that are turning Apple’s platform into a lucrative target for cybercriminals.
Dec 5, 2024
apple insider media logo
What a new threat report says about Mac malware in 2024
Moonlock Lab examines attackers' evolving tactics, from cheap, plug-and-play malware kits to sophisticated AI-generated exploits.
Dec 4, 2024
hackernoon media logo
Tracking Atomic Stealer on macOS: sophisticated malware replacing Ledger Live app
Here’s how Moonlock Lab obtained and analyzed a version of Atomic Stealer that primarily targets the Ledger Live app.
Aug 24, 2024

Follow Moonlock Lab on X

moonlock_lab Moonlock Lab @moonlock_lab ·
2h

1/ We investigate a multi-stage #macOS stealer chain (likely a variant of #DigitStealer) with a Bash loader + JXA + AppleScript, obfuscation in place. Two files from this flow are undetected on VirusTotal at the time of writing, others have 2-3 detections.
Initial research

2

Reply on Twitter 2011398956463341798 Retweet on Twitter 2011398956463341798 2 Like on Twitter 2011398956463341798 8 X 2011398956463341798
osint_barbie xiu @osint_barbie ·
12 Jan

Following @g0njxa’s report (https://x.com/g0njxa/status/2010073225884213533)on a fake meeting platform Sonance delivering signed macOS and Windows malware, I checked the DMG🍏

This DMG drops a Swift app named Freeze IO.
Interestingly, it's not a typical infostealer, but a RAT / downloader. What it

Reply on Twitter 2010737414029840417 Retweet on Twitter 2010737414029840417 10 Like on Twitter 2010737414029840417 26 X 2010737414029840417
moonlock_com Moonlock by MacPaw @moonlock_com ·
4 Dec

2025 showed clearly — the myth of a “safe Mac” is dead.
According to Moonlock’s annual threat report:
• macOS backdoor variants 📈 up by 67%
• Stealer malware families 📈 up by 17%
• Over 80 countries hit by major stealer campaigns

In short: Macs are no longer “safe by

Reply on Twitter 1996508564353941923 Retweet on Twitter 1996508564353941923 7 Like on Twitter 1996508564353941923 13 X 1996508564353941923
moonlock_lab Moonlock Lab @moonlock_lab ·
3 Dec

1/ North Korean hackers are pushing fake "Microsoft Teams Update" to #macOS users. We detected an ongoing campaign, which is consistent with #DPRK recruitment/crypto-targeting ops, today in France.
Filename: Microsoft Teams Update.scpt
SHA256:

Reply on Twitter 1996304740410347890 Retweet on Twitter 1996304740410347890 8 Like on Twitter 1996304740410347890 47 X 1996304740410347890
moonlock_com Moonlock by MacPaw @moonlock_com ·
14 Nov

Moonlock has been verified by AV-TEST 🎉

AV-TEST independently evaluates antivirus software for accuracy and overall performance. Moonlock proved malware-proof on macOS and didn’t flag a single trusted file. That means it protects you from anything harmful while keeping your…

Reply on Twitter 1989320043130192199 Retweet on Twitter 1989320043130192199 3 Like on Twitter 1989320043130192199 13 X 1989320043130192199
moonlock_lab Moonlock Lab @moonlock_lab ·
11 Nov

Remember our previous post regarding the #MacSync #phishing variant? Well, it seems this one started spreading among our users, specifically as #Trezor Suite app bundle.

We remind you to stay cautious and never input your seed phrase on such applications 🔎…

Reply on Twitter 1988267056320352651 Retweet on Twitter 1988267056320352651 3 Like on Twitter 1988267056320352651 14 X 1988267056320352651
moonlock_lab Moonlock Lab @moonlock_lab ·
3 Nov

🔎 Seems like #Odyssey #macOS stealer crossed our upper tolerance band for the average detection rate on Nov 1st, indicating an active campaign.
Geography suggests the spread is global, with visible clusters in India, the US, APAC, and parts of Europe.

Missed our latest…

2

Reply on Twitter 1985409070422257871 Retweet on Twitter 1985409070422257871 3 Like on Twitter 1985409070422257871 27 X 1985409070422257871