9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
Since rising to prominence in 2023, AMOS (Atomic macOS Stealer) has become the most notorious infostealer targeting the Apple ecosystem. The malware, designed to quietly pull all sorts of sensitive information from macOS systems, is a household name among security researchers, journalists, and maybe even victims.
But now, Moonlock, the cybersecurity division of MacPaw, says it’s been tracking a new threat actor with an infostealer gaining popularity in the veiled corners of darknet forums. In this week’s Security Bite, I discuss this interesting new emerging threat and how it’s shaking up the broader macOS landscape.
Believed to be of Russian origin, the newcomer malware developer goes under the alias “mentalpositive,” alongside their product, an infostealer packaged as Mac.c. While mentalpositive has only been active for approximately four months, “Mac.c is already competing with larger, more established stealer operations like Atomic macOS Stealer,” according to Moonlock in a blog post for HackerNoon.
Mentalpositive’s more methodical and unusually transparent approach to building in public appears to be quite popular. The malware developer has even shared progress updates and asked for feedback on previous Mac.c builds, something we rarely see in the secretive world of malware development. We can all cross crowdsourced malware off our 2025 bingo cards now…
On the technical side, Mac.c shares code-level similarities with AMOS and Rodrigo4, but it’s been optimized for rapid, high-impact data exfiltration. By trimming down the binary, the malware downloads faster and leaves fewer static artifacts, making it harder to detect during analysis. An increasing number of URLs were also found being added in each update, suggesting its command-and-control infrastructure is likely part of a larger operation.
“Such publicity may signal an intent to raise visibility and carve out a distinct market presence. It also appears to lay the groundwork for a custom stealer-as-a-service business model aimed squarely at the macOS threat niche,” says Moonlock.
Further, mentalpositive even offers a web-based interface for its customers, the purchasers of the Mac.c infostealer. Through this panel, buyers can generate custom builds of the stealer (to help bypass XProtect), monitor infection statistics (successful and failed attempts), and manage various details of their campaigns. It reveals everything, but how awful a person they are.
“The most recent post [from mentalpositive] at the time of writing outlines additional updates,” states Moonlock. “These include bypassing XProtect by generating unique builds from scratch, an expanded list of supported browsers, file grabber activation via the control panel, and most notably a separate module for phishing Trezor seed phrases.”
Broader macOS threat landscape
While the macOS malware market remains far less prolific than its Windows counterpart, the segment is becoming increasingly popular among cyber criminals. The reason is simple: popularity. Mac shipments outpaced all PC makers in the United States during the final quarter of last year, growing 25.9% year-on-year. Apple’s share of the overall computer (non-tablet) market is now around 17.1%, according to research firm Canalys.
This is blood in the water. The macOS threat market is increasingly becoming lucrative for commercially ambitious malware developers seeking to take advantage of new users coming to the platform. Both enterprise and personal Mac users are falling victim at record rates despite Apple’s efforts to make it harder to override Gatekeeper and fortify with XProtect.
As for infostealers specifically, we continue to see them rocket in popularity for many reasons. Infostealers have actually overtaken adware as the dominant form of malware, observed by Jamf, accounting for 28.36% of all Mac malware detected.
Why the rise in popularity?
This is partly due to their accessibility and a low barrier to entry. For example, cybercriminals like mentalpositive are increasingly running Malware-as-a-Service (MaaS) businesses. This is where malware developers create and maintain tools like infostealers and rent them out to affiliates, those with little technical skills. Affiliates get ready-made malware packages to direct at whomever they’d like.
Other contributing factors include fast payouts over attacks like ransomware, which can take weeks or months before seeing any sort of return.
How to protect against infostealers
Apple pre-installs many valuable background services on every Mac to protect users from the scary things that lurk on the internet, but often, these aren’t enough.
While you may already know many of these tips, I think it’s important to regurgitate them again for the masses.
- Do your due diligence before installing anything outside the official Mac App Store
- Hover over and confirm links before opening them
- Use strong, complex passwords and 2-step authentication (non-SMS if possible, OTP is best)
- Exercise caution when granting permissions on your Mac
- Keep your devices and applications up-to-date
Check out Moonlock’s full Mac.c breakdown on HackerNoon here.
Follow Arin: Twitter/X, LinkedIn, Threads
FTC: We use income earning auto affiliate links. More.
