“Say My Name”: How MioLab is building MacOS Stealer Empire

MioLab, also known as Nova, is a sophisticated Malware-as-a-Service platform targeting macOS environments, heavily advertised on Russian-speaking underground forums. The platform features extensive data exfiltration capabilities, including browser credential theft, cryptocurrency wallet targeting (supporting over 200 browser extensions and 50+ desktop wallets), and a premium module specifically designed to compromise Ledger and Trezor hardware wallets by intercepting 24-word BIP39 recovery seed phrases. The lightweight C-based payload supports both Intel and Apple Silicon architectures across macOS versions from Sierra to Tahoe. MioLab employs sophisticated social engineering through customizable DMG builders with live preview features, fake system prompts, and ClickFix integration. Recent updates demonstrate rapid development, including Safari cookie grabbing, automated Apple Notes decryption, and universal hardware wallet modules. The operation utilizes bulletproof hosting services and shares infrastruct...

Pulse ID: 69f3653e884ec7a430371ba3
Pulse Link: https://otx.alienvault.com/pulse/69f3653e884ec7a430371ba3
Pulse Author: AlienVault
Created: 2026-04-30 14:20:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BIP39 #Browser #CyberSecurity #Edge #InfoSec #Mac #MacOS #Malware #MalwareAsAService #OTX #OpenThreatExchange #RAT #RCE #Russia #Safari #SocialEngineering #Word #bot #cryptocurrency #AlienVault

LofyStealer: Malware targeting Minecraft players.

A sophisticated two-stage infostealer named LofyStealer, also known as GrabBot/Slinky, targets Minecraft players through social engineering. The malware comprises a 53.5MB Node.js-based loader disguised within legitimate libraries and a 1.4MB native C++ payload that executes directly in memory. It extracts cookies, passwords, tokens, credit cards, and IBANs from eight different browsers including Chrome, Edge, Brave, Opera GX, and Firefox. The loader uses GitHub Actions for automated compilation while the payload employs direct syscalls to bypass EDR detection. Data is compressed via PowerShell, Base64-encoded, and exfiltrated to a Brazilian-hosted C2 server at 24.152.36.241. The operation is attributed with high confidence to the Brazilian cybercrime group LofyGang, operating a Malware-as-a-Service platform with Free and Premium tiers through a web panel branded as LofyStealer Advanced C2 Platform V2.0.

Pulse ID: 69f1f50b6a5e5d1ca31204bb
Pulse Link: https://otx.alienvault.com/pulse/69f1f50b6a5e5d1ca31204bb
Pulse Author: AlienVault
Created: 2026-04-29 12:09:47

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Brave #Brazil #Browser #Chrome #Cookies #CreditCard #CreditCards #CyberCrime #CyberSecurity #EDR #Edge #FireFox #GitHub #InfoSec #InfoStealer #Malware #MalwareAsAService #Minecraft #Nodejs #OTX #OpenThreatExchange #Opera #Password #Passwords #PowerShell #RAT #SocialEngineering #Word #bot #AlienVault

TwizAdmin -- Multi-Stage Crypto Clipper, Infostealer & Ransomware Operation

A sophisticated multi-stage malware operation was identified through an exposed C2 panel at 103.241.66[.]238:1337, combining cryptocurrency clipboard hijacking across eight chains, BIP-39 seed phrase theft, browser credential exfiltration, ransomware module (crpx0), and Java RAT builder managed via FastAPI-based panel with license key system. The operation targets Windows and macOS using FedEx and OnlyFans-themed social engineering lures, with complete source code exposed in open directories. The ransomware component communicates with three Russian .ru domains resolving to 31.31.198[.]206 at REG.RU hosting, operating under the identity DataBreachPlus with Telegram, qTox, and ProtonMail contacts. Ten cryptocurrency wallet addresses spanning Bitcoin, Ethereum, Tron, Dogecoin, Litecoin, Solana, Ripple, and Bitcoin Cash were extracted from configurations, indicating a Malware-as-a-Service operation with tiered licensing.

Pulse ID: 69e8c1fb96869b14e2c565a2
Pulse Link: https://otx.alienvault.com/pulse/69e8c1fb96869b14e2c565a2
Pulse Author: AlienVault
Created: 2026-04-22 12:41:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BitCoin #Browser #Clipboard #CyberSecurity #InfoSec #InfoStealer #Java #Mac #MacOS #Malware #MalwareAsAService #OTX #OpenThreatExchange #RAT #RCE #RansomWare #Russia #SocialEngineering #Telegram #Windows #bot #cryptocurrency #AlienVault

New NGate variant hides in a trojanized NFC payment app

ESET researchers have identified a new NGate malware variant targeting Android users in Brazil since November 2025. The threat actors trojanized the legitimate HandyPay NFC payment application, likely using AI-generated code, to relay NFC data from victims' payment cards to attacker-controlled devices. The malware enables unauthorized ATM withdrawals and payments while also capturing and exfiltrating payment card PINs to command-and-control servers. Distribution occurs through two channels: a fake Rio de Prêmios lottery website where victims always win a rigged prize, and a fraudulent Google Play page offering a fake card protection app. Both distribution sites are hosted on the same domain. This campaign represents an evolution in NFC-based fraud, with attackers choosing to patch existing legitimate applications rather than using established malware-as-a-service offerings.

Pulse ID: 69e7a6a0bb463e49c9b7572e
Pulse Link: https://otx.alienvault.com/pulse/69e7a6a0bb463e49c9b7572e
Pulse Author: AlienVault
Created: 2026-04-21 16:32:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Brazil #CyberSecurity #ESET #Google #GooglePlay #InfoSec #Malware #MalwareAsAService #OTX #OpenThreatExchange #RAT #Trojan #Troll #bot #iOS #AlienVault

StepDrainer MaaS Platform Targeting Multi-Chain Crypto Wallets and NFT Assets

StepDrainer is a Malware-as-a-Service (MaaS) platform engineered to steal digital assets from cryptocurrency wallets, including fungible tokens and high-value NFT collections. The malware supports more than 20 blockchain networks and incorporates multiple draining techniques, particularly abusing ERC-20 token permissions and NFT approval mechanisms.

The platform includes automated asset transfer capabilities, compatibility with widely used mobile wallets, and encrypted logging via Telegram channels for attacker monitoring. StepDrainer is commercially distributed within cybercriminal ecosystems, with pricing models ranging from approximately $750 for full source code access to $150 for a shared version that imposes a 20% commission on successful thefts.

Pulse ID: 69e734af1069d427edf013a9
Pulse Link: https://otx.alienvault.com/pulse/69e734af1069d427edf013a9
Pulse Author: AlienVault
Created: 2026-04-21 08:26:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #CyberSecurity #InfoSec #MaaS #Malware #MalwareAsAService #OTX #OpenThreatExchange #RAT #RCE #SMS #Telegram #bot #cryptocurrency #AlienVault

Mirax RAT Exploits Meta Apps to Infiltrate Android Devices

Beware of fake ads on Meta apps - a sneaky new malware called Mirax RAT is using them to secretly take control of Android devices, with a focus on Spanish-speaking nations. This remote access Trojan is part of a growing Malware-as-a-Service economy that's putting unsuspecting users at risk.

https://osintsights.com/mirax-rat-exploits-meta-apps-to-infiltrate-android-devices?utm_source=mastodon&utm_medium=social

#MiraxRat #Malwareasaservice #MetaApps #AndroidMalware #RemoteAccessTrojan

108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure

A coordinated campaign of 108 malicious Chrome extensions operated through shared command-and-control infrastructure at cloudapi[.]stream has been identified, collectively accounting for approximately 20,000 installations. The campaign spans multiple threat categories: 54 extensions steal Google account identities via OAuth2, one extension actively exfiltrates Telegram Web sessions every 15 seconds, and 45 extensions contain a universal backdoor enabling arbitrary URL execution on browser startup. Published under five distinct publisher identities (Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt), these extensions masquerade as legitimate tools including Telegram sidebar clients, slot games, YouTube and TikTok enhancers, and translation utilities. All extensions route stolen credentials, user identities, and browsing data to servers controlled by the same operator, with infrastructure confirming a Malware-as-a-Service business model.

Pulse ID: 69de5f631a2f4bca81392ccd
Pulse Link: https://otx.alienvault.com/pulse/69de5f631a2f4bca81392ccd
Pulse Author: AlienVault
Created: 2026-04-14 15:38:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Chrome #ChromeExtension #Cloud #CyberSecurity #Google #InfoSec #Malware #MalwareAsAService #OTX #OpenThreatExchange #RAT #Telegram #Troll #YouTube #bot #AlienVault

Mirax Trojan Hijacks Android Devices for Proxy Network

Meet Mirax, a sneaky new Android banking trojan that's not only stealing credentials, but also hijacking devices to create a powerful proxy network - putting European users at risk. This emerging malware is a triple threat, combining a malware-as-a-service model, remote access capabilities, and residential proxies to wreak havoc…

https://osintsights.com/mirax-trojan-hijacks-android-devices-for-proxy-network?utm_source=mastodon&utm_medium=social

#AndroidBankingTrojan #EmergingThreats #Malwareasaservice #ResidentialProxies #Maas

A new Android RAT turning infected devices into potential residential proxy nodes

Mirax is a newly identified Android Remote Access Trojan operating as Malware-as-a-Service, actively targeting European users, particularly in Spanish-speaking regions. Distributed through Meta advertisements and GitHub-hosted droppers, the malware has reached over 200,000 accounts. It employs sophisticated techniques including dynamically fetched HTML overlays, comprehensive keylogging, and remote device control capabilities. A distinctive feature is its integration of SOCKS5-based residential proxy functionality, transforming infected devices into proxy nodes that enable attackers to route traffic through legitimate residential IP addresses. This capability allows operators to bypass geolocation restrictions and evade fraud detection systems while conducting account takeovers and transaction fraud. The malware uses commercial-grade obfuscation through Golden Encryption and establishes persistence through Accessibility Service abuse.

Pulse ID: 69dcfd5f0b3e3ab70a58831d
Pulse Link: https://otx.alienvault.com/pulse/69dcfd5f0b3e3ab70a58831d
Pulse Author: AlienVault
Created: 2026-04-13 14:27:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #CyberSecurity #Encryption #Europe #GitHub #HTML #InfoSec #Malware #MalwareAsAService #OTX #OpenThreatExchange #Proxy #RAT #RemoteAccessTrojan #Trojan #bot #AlienVault

Stealer Campaign Impacting SLTT macOS Users

MacSync Stealer is a macOS infostealer operating as Malware-as-a-Service (MaaS), distributed through SEO poisoning and fake ClickFix CAPTCHAs. The campaign has evolved through three iterations since November 2025, shifting from fake download sites to malicious ChatGPT conversations and finally to sophisticated shell-based loaders with dynamic AppleScript payloads. Threat actors use Google-sponsored search results to redirect victims to fake CAPTCHA pages that trick users into executing malicious terminal commands. The stealer targets browser credentials, cryptocurrency wallets, SSH keys, cloud provider credentials, and Keychain data. A critical capability includes trojanizing Ledger hardware wallet applications to capture seed phrases. The February 2026 campaign generated over 18,000 clicks in three days, with Russian-language comments suggesting operators work within a Russian-speaking ecosystem. The malware employs API key-gated C2 infrastructure and in-memory execution for evasion.

Pulse ID: 69d7ed2e323d7edb856fa161
Pulse Link: https://otx.alienvault.com/pulse/69d7ed2e323d7edb856fa161
Pulse Author: AlienVault
Created: 2026-04-09 18:17:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CAPTCHA #ChatGPT #Cloud #CyberSecurity #Edge #Google #InfoSec #InfoStealer #MaaS #Mac #MacOS #Malware #MalwareAsAService #OTX #OpenThreatExchange #RAT #Russia #SEOPoisoning #SSH #Trojan #bot #cryptocurrency #AlienVault