A new macOS stealer malware is making waves on the dark web, challenging the dominance of the infamous AMOS. Security researchers at Moonlock Lab have reported on Mac.c, a fresh entrant in the macOS infostealer-as-a-service market.
Developed openly by a black hat hacker using the alias “mentalpositive”, the tool is advertised as a leaner, faster alternative for cybercriminals looking to exfiltrate sensitive data from Apple devices.
Mac.c: A Streamlined Rival to AMOS
While AMOS remains the most recognized macOS malware with a subscription cost of $3,000 per month, Mac.c is marketed at half the price—$1,500 per month.
Despite being less feature-rich than AMOS, Mac.c achieves efficiency by minimizing its file size, reducing forensic artifacts, and relying on macOS-native utilities like AppleScript for stealth operations.
Sampled filenames flagged by security tools included Installer.dmg and trojanized variants disguised as software cracks (such as “Installer descrakeador adobe.dmg”).
Once activated, Mac.c begins data collection in multiple stages, masquerading operations within legitimate macOS processes to bypass detection. Moonlock Lab noted the malware evades XProtect through unique build generation, giving each compiled sample different signatures.
The infostealer specifically targets:
- iCloud Keychain data
- Browser credentials, cookies, and session artifacts (Google Chrome, Edge, Brave, Yandex)
- Crypto wallet information from applications like Ledger Live, MetaMask, Phantom, Exodus, and Monero
- System metadata and targeted file grabs
Operators can access an administrative panel where infections are tracked, builds generated, and campaigns configured. This panel includes optional modules: a remote file grabber and even a Trezor wallet seed phishing module, sold as an add-on for $1,000.
Dark Web Development – An Unusual Transparency
What sets Mac.c apart is the public development campaign run directly on darknet forums. The creator, mentalpositive, openly documented code revisions and modular features over several months, an atypical move in the cybercriminal underground, where secrecy is the norm.
Moonlock Lab interprets this transparency as both a marketing strategy and an attempt to build credibility within the malware-as-a-service ecosystem.
Interestingly, the malware does not yet surpass AMOS in feature depth, but its affordability has made it attractive to trafficker groups’ low-level operators who distribute malware via phishing, malvertising, and cracked software schemes.
Analysts believe its lower entry price lowers the barrier for cybercrime participation, potentially scaling infections more broadly in the coming months.
Protecting Against Mac.c
Experts recommend that Apple users remain vigilant: download software only from the App Store or verified sources, avoid suspicious email links and pop-ups, and keep macOS fully patched.
Security software such as CleanMyMac flagged Mac.c samples early, preventing breaches in some user environments.
Moonlock Lab warns that with crypto theft as the primary goal, Mac users managing digital assets remain at highest risk. As Mac.c continues development, its popularity could disrupt the macOS threat landscape, hinting at a rising power struggle in the underground infostealer market.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
