Moonlock Lab identified a macOS cross-platform RAT masquerading as MicrosoftSystem64, with a JavaScript payload bundled inside a Mach-O binary through `__NODE_SEA_BLOB`. The malware provides full surveillance and remote-control capabilities, including adaptive screenshot streaming, keylogging with password-field detection, clipboard monitoring, file operations, shell execution, self-update, and uninstall commands. It targets browser credentials, secrets files, and more than 50 cryptocurrency wallets, then uses a WebSocket endpoint for tasking and small exfiltration while abusing an operator-controlled Hugging Face dataset for bulk exfiltration.