Moonlock Lab

Our team recently published 2026 #macOS malware predictions: supply-chain + AI/workflow (MCP) abuse, signed/notarized stealth & multi-stage loaders, Macs as proxy infrastructure, and “upmarket” infostealers. Give it a read! 👇 moonlock.com/macos-malware-…

cc @patrickwardle @g0njxa @arinwaichulis @philofishal @shablolForce @txhaflaire @theevilbit @L0Psec @theJoshMeister @DefSecSentinel @bruce_k3tta @birchb0y @AndreGironda @suyog41 @NietzscheLab

IOCs 🧙 b3ff86f6fc849693a84e525b4839a58111c530c60fb117739a23dc7a7441f56c 292a74d8e56e7605802cace34f2ee9adef38a1455970b7468a83061ad86550da b93494549d589123455cd244d75765df29fdaf12b29f3faa4a16483d702a435f ada7fd7409b64c2e0ee8aa0cea747a756561440b9ddb465ebad600d3ae1b1c1f task-vault-54a2-356814497283.us-central1[.]run[.]app 2df91afaee60aa8a5dca05ff48acc26ea9096b7d6efb4cfc8911461ff9c63dad (Win EXE)

1/ New #macOS samples, 0 detections on VT as of writing, but multiple artifacts suggest Sliver-like HTTP(S) C2. Shared by @malwrhunterteam. What stood out: procedural URL patterns, PNG-wrapped network payloads, no plaintext IOCs, and wazero/WASM-related execution. More below👇

We’re seeing a significant number of #SHub #stealer samples in the wild, with detections spanning multiple countries. Especially concerning is that it also impersonates CleanMyMac, abusing a trusted brand to target users (x.com/cleanmymac/sta…). This is another reminder that macOS stealers remain a growing threat. Our team is tracking it, and our customers are protected by Moonlock. See the map for the current detection footprint. 👇

We’re excited to share something special with the community. Moonlock Lab experts @osint_barbie and @xor3r have published a new piece on the RSA Conference blog about the evolving landscape of macOS threats. In the article they break down the most common threats targeting macOS today, how these attacks have evolved, and what security teams should be paying attention to next. Proud to share this knowledge with the community 🙌🏻 #RSAC rsaconference.com/library/blog/m…

Beware fake VCs on LinkedIn ❗️ Our latest Moonlock Lab report tracks a new #ClickFix campaign using fake Zoom/Meet links + a bogus Cloudflare CAPTCHA to trick victims into pasting malicious commands - cross-platform for macOS & Windows. Featuring findings by @malwrhunterteam and analysis by @L0Psec 🔎 Give it a read 👉 moonlock.com/fake-vcs-targe…

Infostealers aren’t slowing down. Listen to the second part of @9to5mac Security Bite Podcast with @arinwaichulis, where our Moonlock Lab researchers break down how these threats land, and why social engineering is escalating. 🎙️ 9to5mac.com/2026/02/24/sec…

cc @patrickwardle @g0njxa @arinwaichulis @philofishal @shablolForce @txhaflaire @theevilbit @L0Psec @theJoshMeister @DefSecSentinel @bruce_k3tta @birchb0y @AndreGironda @suyog41 @NietzscheLab

🧙IOC: f33c7e03d14de2053daf69f745e209744599acbad8d5bd725afbdcbbae773e03

1/ We just triaged a #macOS sample that looks like a full-featured RAT with a twist - it uses the #Solana blockchain as part of its C2 workflow. Kindly shared by @malwrhunterteam. More below 🧵