Zoonop

New macOS Stealer 'Mac.C' Enters Growing Malware-as-a-Service Market

Image for New macOS Stealer 'Mac.C' Enters Growing Malware-as-a-Service Market

A new macOS stealer, dubbed "Mac.C," has emerged, developed by a threat actor known as "mentalpositive," according to cybersecurity researchers. Noted cybersecurity expert Patrick Wardle recently highlighted this development, tweeting: > "New macOS Stealer "Mac.C" by mentalpositive 🍎👾 Read "Mac.c Stealer Takes on AMOS" (by @moonlock_com / @MacPaw) https://t.co/EifgrIwbG1". This new malware variant is now competing in the expanding market for macOS-targeting infostealers.

The developer, 'mentalpositive,' has taken an unusual approach, openly showcasing updates and soliciting feedback on darknet forums, signaling an intent to establish a distinct market presence. This public development aligns with a growing 'stealer-as-a-service' business model, where Mac.C is reportedly offered through subscriptions, potentially for around $1,500 per month. This accessibility lowers the barrier for less experienced cybercriminals to acquire and deploy sophisticated malware.

Mac.C is designed for comprehensive data theft, targeting sensitive information such as iCloud Keychain credentials, browser-stored passwords, cryptocurrency wallets, and system metadata. It employs social engineering tactics, often presenting fake system prompts, like a deceptive "game permission" request for "Innocent Witches," to trick users into revealing their macOS login passwords. The malware largely relies on native AppleScript capabilities to execute its malicious functions without dropping compiled binaries.

Analysis by Moonlock Lab reveals significant code reuse between Mac.C and the established Atomic macOS Stealer (AMOS), suggesting either shared origins or direct code borrowing. While both share functional similarities in data exfiltration, Mac.C is currently described as a more compact, non-persistent, and AppleScript-based stealer. In contrast, AMOS has evolved to include more advanced features, such as persistent backdoor functionality, making it a more capable and dangerous threat.

The emergence of Mac.C underscores a broader trend of increasing malicious activity targeting macOS users, driven by the platform's growing market share and the proliferation of malware-as-a-service offerings. Cybersecurity firms note a significant rise in macOS infostealers throughout 2024 and into 2025. This evolving threat landscape highlights the need for heightened user awareness and robust security measures to protect against increasingly accessible and dynamic malware.