A list features Unnamed Downloader, Poseidon, and PyStealer that Moonlock Lab has discovered in the wild.
Feb 5, 2025
Moonlock Lab
Latest threat report
6 key trends to watch in macOS malware in 2026
What we’re seeing in macOS malware development is a reflection of how cybercrime itself evolves. As security ecosystems mature, threat actors are creating malware that is more efficient and more resilient than ever...
Feb 3, 2026
9 min read
About Moonlock Lab
Moonlock Lab is a team of security engineers that includes a former cybercrime investigator, a white-hat hacker, and a key figure of an Andy Greenberg book. They detect and study cyber threats daily, beefing up the defenses of Moonlock Engine.
Lab’s researchers have discovered new malware samples and AMOS variants, tracked down stealer developers, and exposed sophisticated malvertising campaigns. Their findings amass thousands of views, get featured in Forbes and Bleeping Computer. And when not chasing cyber threats, our experts hit the stage at RSA Webcast, Virus Bulletin, or Objective for the We.
More About Moonlock
Previous publications
Moonlock’s 2025 macOS threat report
For the second year in a row, MacPaw’s Moonlock Lab is sharing observations, research findings, and trends in macOS malware over the past year. This time, we focus less on the technical side of...
Dec 3, 2025
20 min read
Mac.c stealer evolves into MacSync: Now with a backdoor
In April 2025, a new macOS stealer developer emerged under the alias “mentalpositive.” Their stealer, mac.c, wasn’t sophisticated. It wasn’t particularly stealthy or feature-rich at launch, either. However, it did have one important...
Sep 12, 2025
7 min read
Atomic macOS Stealer now includes a backdoor for persistent access
Atomic macOS Stealer (AMOS), a popular piece of stealer malware for macOS, has just received a major update. For the first time, it’s being deployed with an embedded backdoor. This change allows attackers...
Jul 4, 2025
12 min read
Experts of Moonlock Lab
Lab making headlines
Moonlock's threat report reveals disturbing trends that are turning Apple’s platform into a lucrative target for cybercriminals.
Dec 5, 2024
Moonlock Lab examines attackers' evolving tactics, from cheap, plug-and-play malware kits to sophisticated AI-generated exploits.
Dec 4, 2024
Here’s how Moonlock Lab obtained and analyzed a version of Atomic Stealer that primarily targets the Ledger Live app.
Aug 24, 2024
Follow Moonlock Lab on X
Infostealers aren’t slowing down. Listen to the second part of @9to5mac Security Bite Podcast with @arinwaichulis, where our Moonlock Lab researchers break down how these threats land, and why social engineering is escalating. 🎙️
An insight about a stealer campaign posted by @g0njxa recently () aligns with what we’re observing on #macOS too: #Odyssey stealer is scaling fast and showing broad geographic spread (multiple countries/regions affected in a short window - under 30 days).
Do you want to see how an usual infostealers victim landscape looks like from an actual malware campaign?
Have a look here thanks to @ipinfo tools:
https://ipinfo.io/tools/summarize-ips/1c8b79cd-01f2-4bd2-9453-202b4a8a0e38
Map: https://ipinfo.io/tools/map/3e25076f-6272-45d5-b683-deae1b4b45da
These are real numbers, objective data, don't let others create unverified
Hey!👋 If you appreciate the importance of work done by @osint_barbie from our team, dealing with malware and threat actors, - please go vote for her by sharing a link to her nominee profile @ Cybersecurity Excellence Awards ❤️🔥
https://cybersecurity-excellence-awards.com/candidates/kseniia-yamburh-2026/
1/ Crypto #phishing scams against #macOS users become more 'genuine' and continue to target Trezor consumers. Digging deeper on a campaign mentioned by @malwrhunterteam, we followed the trail and examined yet another WebView sample prompting for seed phrase .. 🧵
2
1/ We’re tracking a fresh wave of #Odyssey #Stealer activity targeting #macOS users.
Over the past days, our telemetry showed newly updated samples spreading primarily across:
🇺🇸 United States
🇫🇷 France
🇪🇸 Spain
Today, the picture has clearly changed: the same Odyssey campaign
Our team recently published 2026 #macOS malware predictions: supply-chain + AI/workflow (MCP) abuse, signed/notarized stealth & multi-stage loaders, Macs as proxy infrastructure, and “upmarket” infostealers.
Give it a read! 👇
1/ We conducted an analysis on yet undetected + low detected samples of something similar to a dropper/stager written in Go. According to our findings + what has been shared with us kindly by @malwrhunterteam, these files have a few generations with obfuscation in later ones. 🧵
2
Infostealers are no longer a side quest for macOS.
They’re a main storyline.
In Part 1 of the latest @9to5mac Security Bite podcast, Moonlock Lab researchers join @arinwaichulis to discuss why infostealers have emerged as one of the most dominant macOS threats in 2026.
Our
Great convo on macOS infostealers and why “just paste this into Terminal” is never a good life choice 🥲😅
Thank you @arinwaichulis for the great questions and a super nice vibe! Looking forward to Friday🎙️🍏
1/ To add up to @L0psec's analysis of malicious campaign targeting macOS users (), we want to share our check on other FUD samples, which @malwrhunterteam pointed us to. These seem quite interesting in terms of obfuscation and purpose 🧵
2Another potentially interesting FUD Swift app shared by @malwrhunterteam: 755cc133ae0519accbcfdd5f8f0d9fe1aa08cbcb306c3e5f29ebcb6ac12d9323
A zoom lookalike that uses Telegram bot for sending captured creds. But also more files: ELF, vbscript, python at the hosted URL? DPRK???
🧵
