{ "type": "URL", "indicator": "https://socifiapp.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://socifiapp.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4278920759, "indicator": "https://socifiapp.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "69f3653e884ec7a430371ba3", "name": "\u201cSay My Name\u201d: How MioLab is building MacOS Stealer Empire", "description": "MioLab, also known as Nova, is a sophisticated Malware-as-a-Service platform targeting macOS environments, heavily advertised on Russian-speaking underground forums. The platform features extensive data exfiltration capabilities, including browser credential theft, cryptocurrency wallet targeting (supporting over 200 browser extensions and 50+ desktop wallets), and a premium module specifically designed to compromise Ledger and Trezor hardware wallets by intercepting 24-word BIP39 recovery seed phrases. The lightweight C-based payload supports both Intel and Apple Silicon architectures across macOS versions from Sierra to Tahoe. MioLab employs sophisticated social engineering through customizable DMG builders with live preview features, fake system prompts, and ClickFix integration. Recent updates demonstrate rapid development, including Safari cookie grabbing, automated Apple Notes decryption, and universal hardware wallet modules. The operation utilizes bulletproof hosting services and shares infrastruct...", "modified": "2026-05-04T11:24:29.519000", "created": "2026-04-30T14:20:46.278000", "tags": [ "macos stealer", "clickfix", "maas platform", "cryptocurrency theft", "bulletproof hosting", "miolab" ], "references": [ "https://www.levelblue.com/blogs/spiderlabs-blog/say-my-name-how-miolab-is-building-macos-stealer-empire" ], "public": 1, "adversary": "MioLab", "targeted_countries": [], "malware_families": [ { "id": "MioLab", "display_name": "MioLab", "target": null }, { "id": "SUPERNOVA - S0578", "display_name": "SUPERNOVA - S0578", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1555.001", "name": "Keychain", "display_name": "T1555.001 - Keychain" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 5, "domain": 64 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 386545, "modified_text": "27 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f3426f663eb79b1e568192", "name": "\u201cSay My Name\u201d: How MioLab is building MacOS Stealer Empire", "description": "A look at some of the highlights from the week of cybersecurity news, as well as the company's latest partnership with Microsoft and SentinelOne, which aims to deliver AI-powered security operations and incident response support.", "modified": "2026-05-30T11:33:05.564000", "created": "2026-04-30T11:52:15.201000", "tags": [ "miolab", "chromium", "cloudflare", "miolab macos", "ledger", "builder", "keychain", "apple", "terminal", "claude code", "exfiltration", "nova", "payload", "exodus", "cookie", "february", "grabber", "defense evasion", "format", "desktop", "cards", "mozilla", "bitcoin", "telegram", "nova stealer", "decoy", "dropper", "ditto", "macos", "integrations", "clickfix", "malvertising", "stage-2" ], "references": [ "https://www.levelblue.com/blogs/spiderlabs-blog/say-my-name-how-miolab-is-building-macos-stealer-empire" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MacOS", "display_name": "MacOS", "target": null }, { "id": "Integrations", "display_name": "Integrations", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null }, { "id": "Miolab", "display_name": "Miolab", "target": null }, { "id": "Malvertising", "display_name": "Malvertising", "target": null }, { "id": "MioLab", "display_name": "MioLab", "target": null }, { "id": "Stage-2", "display_name": "Stage-2", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 6, "domain": 64 }, "indicator_count": 84, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cd48ce7b65f7a9350024cd", "name": "EbeeMar2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:33:18.540000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "Keenadu, Poisoned Security Scanner led to Backdooring LiteLLM, HERALD SPIDER, Pay2Key", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 130, "FileHash-SHA1": 145, "FileHash-SHA256": 207, "CVE": 1, "URL": 25, "domain": 285, "email": 4, "hostname": 82 }, "indicator_count": 879, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ca3c8885ac1cb3171429a3", "name": "Untitled.", "description": "A full report on Google's security system, based on data gathered from 1,000 of its users' accounts, has been published by the Google Research Institute (GPRI) in the US.", "modified": "2026-04-30T12:04:59.210000", "created": "2026-03-30T09:04:08.040000", "tags": [ "log id", "gmtn", "google trust", "ca issuers", "b0n timestamp", "pulse pulses", "http", "pulses otx", "pulses", "related tags", "false", "url https", "hostname", "filehashsha256", "source url" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 379, "FileHash-SHA256": 156, "SSLCertFingerprint": 2, "domain": 32, "hostname": 144, "URL": 115, "FileHash-SHA1": 130 }, "indicator_count": 958, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ca38fb0db58d66ca0c73aa", "name": "Untitled.", "description": "Pulses are the latest in a series of web-based attacks, which have seen more than 1.5 million infections since its launch in 2008.. and the first of its kind.", "modified": "2026-04-29T08:14:54.179000", "created": "2026-03-30T08:48:59.142000", "tags": [ "pulse pulses", "passive dns", "urls", "files", "ip address", "domain", "ip whois", "registrar", "domain names", "creation date", "thumbprint", "key identifier", "x509v3 subject", "v3 serial", "number", "cus cngts", "ogoogle trust", "llc validity", "subject public", "key info", "key algorithm", "server", "aaaa", "status", "domain status", "registrar abuse", "data", "date", "google", "levelblue", "alienvault otx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 154, "domain": 170, "FileHash-SHA1": 155, "FileHash-MD5": 156, "FileHash-SHA256": 487, "URL": 322, "email": 6 }, "indicator_count": 1450, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "32 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c2d1676259843fbf880124", "name": "\u201cSay My Name\u201d: How MioLab is building MacOS Stealer Empire", "description": "MioLab, also known as Nova, has emerged as a significant player in the MacOS malware landscape, focusing on the acquisition of sensitive data from high-value targets such as cryptocurrency investors and executive professionals. This Premium Malware-as-a-Service (MaaS) platform is heavily marketed in Russian-speaking underground forums and offers advanced capabilities designed for effective data exfiltration.", "modified": "2026-04-23T17:27:31.611000", "created": "2026-03-24T18:01:11.793000", "tags": [ "miolab", "chromium", "cloudflare", "miolab macos", "ledger", "builder", "keychain", "apple", "terminal", "claude code", "nova", "payload", "exodus", "cookie", "february", "grabber", "format", "desktop", "cards", "mozilla", "bitcoin", "telegram", "nova stealer", "decoy", "dropper", "ditto", "macos", "integrations", "clickfix", "malvertising", "stage-2" ], "references": [ "https://www.levelblue.com/blogs/spiderlabs-blog/say-my-name-how-miolab-is-building-macos-stealer-empire" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClickFix", "display_name": "ClickFix", "target": null }, { "id": "Miolab", "display_name": "Miolab", "target": null }, { "id": "MioLab", "display_name": "MioLab", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Cryptocurrency" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 6, "domain": 64 }, "indicator_count": 84, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "37 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c1af72ec1c62238c869b68", "name": "Sophisticated macOS Infostealer known as MioLab", "description": "MioLab, also known as Nova, has surfaced as a highly sophisticated Malware-as-a-Service (MaaS) platform specifically targeting Apple users.", "modified": "2026-04-22T21:10:27.701000", "created": "2026-03-23T21:24:02.952000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 6, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 5 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.levelblue.com/blogs/spiderlabs-blog/say-my-name-how-miolab-is-building-macos-stealer-empire", "IOCs.2026.pdf" ], "related": { "alienvault": { "adversary": [ "MioLab" ], "malware_families": [ "Supernova - s0578", "Miolab" ], "industries": [], "unique_indicators": 85 }, "other": { "adversary": [ "Keenadu, Poisoned Security Scanner led to Backdooring LiteLLM, HERALD SPIDER, Pay2Key" ], "malware_families": [ "Stage-2", "Macos", "Integrations", "Clickfix", "Malvertising", "Miolab" ], "industries": [ "Cryptocurrency" ], "unique_indicators": 2685 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/socifiapp.com", "whois": "http://whois.domaintools.com/socifiapp.com", "domain": "socifiapp.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "69f3653e884ec7a430371ba3", "name": "\u201cSay My Name\u201d: How MioLab is building MacOS Stealer Empire", "description": "MioLab, also known as Nova, is a sophisticated Malware-as-a-Service platform targeting macOS environments, heavily advertised on Russian-speaking underground forums. The platform features extensive data exfiltration capabilities, including browser credential theft, cryptocurrency wallet targeting (supporting over 200 browser extensions and 50+ desktop wallets), and a premium module specifically designed to compromise Ledger and Trezor hardware wallets by intercepting 24-word BIP39 recovery seed phrases. The lightweight C-based payload supports both Intel and Apple Silicon architectures across macOS versions from Sierra to Tahoe. MioLab employs sophisticated social engineering through customizable DMG builders with live preview features, fake system prompts, and ClickFix integration. Recent updates demonstrate rapid development, including Safari cookie grabbing, automated Apple Notes decryption, and universal hardware wallet modules. The operation utilizes bulletproof hosting services and shares infrastruct...", "modified": "2026-05-04T11:24:29.519000", "created": "2026-04-30T14:20:46.278000", "tags": [ "macos stealer", "clickfix", "maas platform", "cryptocurrency theft", "bulletproof hosting", "miolab" ], "references": [ "https://www.levelblue.com/blogs/spiderlabs-blog/say-my-name-how-miolab-is-building-macos-stealer-empire" ], "public": 1, "adversary": "MioLab", "targeted_countries": [], "malware_families": [ { "id": "MioLab", "display_name": "MioLab", "target": null }, { "id": "SUPERNOVA - S0578", "display_name": "SUPERNOVA - S0578", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1555.001", "name": "Keychain", "display_name": "T1555.001 - Keychain" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 5, "domain": 64 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 386545, "modified_text": "27 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f3426f663eb79b1e568192", "name": "\u201cSay My Name\u201d: How MioLab is building MacOS Stealer Empire", "description": "A look at some of the highlights from the week of cybersecurity news, as well as the company's latest partnership with Microsoft and SentinelOne, which aims to deliver AI-powered security operations and incident response support.", "modified": "2026-05-30T11:33:05.564000", "created": "2026-04-30T11:52:15.201000", "tags": [ "miolab", "chromium", "cloudflare", "miolab macos", "ledger", "builder", "keychain", "apple", "terminal", "claude code", "exfiltration", "nova", "payload", "exodus", "cookie", "february", "grabber", "defense evasion", "format", "desktop", "cards", "mozilla", "bitcoin", "telegram", "nova stealer", "decoy", "dropper", "ditto", "macos", "integrations", "clickfix", "malvertising", "stage-2" ], "references": [ "https://www.levelblue.com/blogs/spiderlabs-blog/say-my-name-how-miolab-is-building-macos-stealer-empire" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MacOS", "display_name": "MacOS", "target": null }, { "id": "Integrations", "display_name": "Integrations", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null }, { "id": "Miolab", "display_name": "Miolab", "target": null }, { "id": "Malvertising", "display_name": "Malvertising", "target": null }, { "id": "MioLab", "display_name": "MioLab", "target": null }, { "id": "Stage-2", "display_name": "Stage-2", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 6, "domain": 64 }, "indicator_count": 84, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cd48ce7b65f7a9350024cd", "name": "EbeeMar2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:33:18.540000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "Keenadu, Poisoned Security Scanner led to Backdooring LiteLLM, HERALD SPIDER, Pay2Key", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 130, "FileHash-SHA1": 145, "FileHash-SHA256": 207, "CVE": 1, "URL": 25, "domain": 285, "email": 4, "hostname": 82 }, "indicator_count": 879, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ca3c8885ac1cb3171429a3", "name": "Untitled.", "description": "A full report on Google's security system, based on data gathered from 1,000 of its users' accounts, has been published by the Google Research Institute (GPRI) in the US.", "modified": "2026-04-30T12:04:59.210000", "created": "2026-03-30T09:04:08.040000", "tags": [ "log id", "gmtn", "google trust", "ca issuers", "b0n timestamp", "pulse pulses", "http", "pulses otx", "pulses", "related tags", "false", "url https", "hostname", "filehashsha256", "source url" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 379, "FileHash-SHA256": 156, "SSLCertFingerprint": 2, "domain": 32, "hostname": 144, "URL": 115, "FileHash-SHA1": 130 }, "indicator_count": 958, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ca38fb0db58d66ca0c73aa", "name": "Untitled.", "description": "Pulses are the latest in a series of web-based attacks, which have seen more than 1.5 million infections since its launch in 2008.. and the first of its kind.", "modified": "2026-04-29T08:14:54.179000", "created": "2026-03-30T08:48:59.142000", "tags": [ "pulse pulses", "passive dns", "urls", "files", "ip address", "domain", "ip whois", "registrar", "domain names", "creation date", "thumbprint", "key identifier", "x509v3 subject", "v3 serial", "number", "cus cngts", "ogoogle trust", "llc validity", "subject public", "key info", "key algorithm", "server", "aaaa", "status", "domain status", "registrar abuse", "data", "date", "google", "levelblue", "alienvault otx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 154, "domain": 170, "FileHash-SHA1": 155, "FileHash-MD5": 156, "FileHash-SHA256": 487, "URL": 322, "email": 6 }, "indicator_count": 1450, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "32 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c2d1676259843fbf880124", "name": "\u201cSay My Name\u201d: How MioLab is building MacOS Stealer Empire", "description": "MioLab, also known as Nova, has emerged as a significant player in the MacOS malware landscape, focusing on the acquisition of sensitive data from high-value targets such as cryptocurrency investors and executive professionals. This Premium Malware-as-a-Service (MaaS) platform is heavily marketed in Russian-speaking underground forums and offers advanced capabilities designed for effective data exfiltration.", "modified": "2026-04-23T17:27:31.611000", "created": "2026-03-24T18:01:11.793000", "tags": [ "miolab", "chromium", "cloudflare", "miolab macos", "ledger", "builder", "keychain", "apple", "terminal", "claude code", "nova", "payload", "exodus", "cookie", "february", "grabber", "format", "desktop", "cards", "mozilla", "bitcoin", "telegram", "nova stealer", "decoy", "dropper", "ditto", "macos", "integrations", "clickfix", "malvertising", "stage-2" ], "references": [ "https://www.levelblue.com/blogs/spiderlabs-blog/say-my-name-how-miolab-is-building-macos-stealer-empire" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClickFix", "display_name": "ClickFix", "target": null }, { "id": "Miolab", "display_name": "Miolab", "target": null }, { "id": "MioLab", "display_name": "MioLab", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Cryptocurrency" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 6, "domain": 64 }, "indicator_count": 84, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "37 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c1af72ec1c62238c869b68", "name": "Sophisticated macOS Infostealer known as MioLab", "description": "MioLab, also known as Nova, has surfaced as a highly sophisticated Malware-as-a-Service (MaaS) platform specifically targeting Apple users.", "modified": "2026-04-22T21:10:27.701000", "created": "2026-03-23T21:24:02.952000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 6, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 5 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://socifiapp.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://socifiapp.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780242843.2023413 }