Moonlock Lab

Our team recently published 2026 #macOS malware predictions: supply-chain + AI/workflow (MCP) abuse, signed/notarized stealth & multi-stage loaders, Macs as proxy infrastructure, and “upmarket” infostealers. Give it a read! 👇 moonlock.com/macos-malware-…

10/ IOC 🧙 f7f638987b40d68176e7dd08c34de39b5f1103add19df3f11f1833d027fc11b8 29499aadd073558f4a1e59b56759593c26bfec121b01188a9f4d6fc8c5df0ee1

9/ Full confirmed capability set - this is not a simple stealer. It's rather a stealer + RAT hybrid. 📝Build leak: developer username ‘rootr’ in Rust debug strings. 📌Never run unsigned apps from untrusted sources. Never enter your system password into an app you didn't install yourself.

1/ A new #macOS #stealer in the wild, analyzed after being spotted by @malwrhunterteam🚨 A Rust-compiled, universal (x86_64 + arm64) infostealer targeting passwords, Keychain, browser data, Telegram, hardware wallets, and Apple Notes - all in one binary. It’s also different from some usual stealers we see on a daily basis. Here's everything we found 👇

The day has come - Moonlock Lab now has a Discord 🤩 If you've been lurking our research for a while, this is a good excuse to say hi. To kick it off, we're giving away 4 books by @patrickwardle - 'The Art of Mac Malware'. To participate in our Giveaway: • Join the server: discord.gg/macpaw • Jump into 🧪moonlock-lab channel • React with your fav emoji on the giveaway post • Post a short intro (handle + one topic related to macOS security you want us to cover) in the channel See you in there 🫶

Here is another related sample with the same TeamID and Signature, first seen in March this year, and detected as Cobaltstrike on VT: b62756002243678c0017f464c71379a41fced350ad57566fa8322d0d023d51dd The earliest one we managed to find is this one, from December 2025: 85befd6ac8715e0725e0bcf4f743806c9533894f6cf206ddec1ac8772958a370 It may be an additional proof of a statement by @PurpleOps_io - x.com/PurpleOps_io/s…. Thanks @malwrhunterteam for pointing out this infra.

cc @patrickwardle @g0njxa @malwrhunterteam @arinwaichulis @philofishal @shablolForce @txhaflaire @theevilbit @L0Psec @theJoshMeister @bruce_k3tta @birchb0y @AndreGironda @suyog41 @NietzscheLab @SEAL_911 @_SEAL_Org @malwarezoo

🧙‍♀️IOCs: 7c4035d3c1ab30671d8e23612514b2695f7ec2bc47df2eed765257b97c6cfa95 16be4aaa7ff9b559b38196ffcc7ead4dd710f6178de61ba80f6cc3c4c6a91ce7 19b51cc3fe04e4ce15c31b0914310fb4e0c975fb9c1bc0010d05fb038f75d59b greenactiv[.]com, rahtam[.]com, scubin[.]com C2: 165[.]245[.]215[.]18 Plist: com.apple.accountsd.helper

1/ We spotted three macOS stealer samples on VirusTotal - fresh enough that they're still at 0/72 a week after upload. Known malware family being delivered as a fake build of Codex for Mac. Sharing what we pulled out 🧵