“Say My Name”: How MioLab is building MacOS Stealer Empire

MioLab (aka Nova) is a commercially sold macOS infostealer MaaS actively distributed via targeted malvertising and a ClickFix-style execution chain; it supports Intel and Apple Silicon, uses runtime string obfuscation and FUD techniques, harvests browser data, Keychain items, Apple Notes, messaging sessions, desktop wallet files and actively targets hardware wallets (Ledger/Trezor) to exfiltrate seed phrases. The platform includes a user-friendly web panel, builder tools (DMG/Unix), API access, per-build proxying, and modular plugins for crypto theft, with observed active infrastructure (domains, IPs, C2 endpoints), IoCs, and operational overlap with Web3 phishing campaigns.