9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
Since rising to prominence in 2023, AMOS (Atomic macOS Stealer) has become the most notorious infostealer targeting the Apple ecosystem. The malware, designed to quietly pull all sorts of sensitive information from macOS systems, is a household name among security researchers, journalists, and maybe even victims.
But now, Moonlock, the cybersecurity division of MacPaw, says it’s been tracking a new threat actor with an infostealer gaining popularity in the veiled corners of darknet forums. In this week’s Security Bite, I discuss this interesting new emerging threat and how it’s shaking up the broader macOS landscape.
Believed to be of Russian origin, the newcomer malware developer goes under the alias “mentalpositive,” alongside their product, an infostealer packaged as Mac.c. While mentalpositive has only been active for approximately four months, “Mac.c is already competing with larger, more established stealer operations like Atomic macOS Stealer,” according to Moonlock in a blog post for HackerNoon.
Mentalpositive’s more methodical and unusually transparent approach to building in public appears to be quite popular. The malware developer has even shared progress updates and asked for feedback on previous Mac.c builds, something we rarely see in the secretive world of malware development. We can all cross crowdsourced malware off our 2025 bingo cards now…
On the technical side, Mac.c shares code-level similarities with AMOS and Rodrigo4, but it’s been optimized for rapid, high-impact data exfiltration. By trimming down the binary, the malware downloads faster and leaves fewer static artifacts, making it harder to detect during analysis. An increasing number of URLs were also found being added in each update, suggesting its command-and-control infrastructure is likely part of a larger operation.
“Such publicity may signal an intent to raise visibility and carve out a distinct market presence. It also appears to lay the groundwork for a custom stealer-as-a-service business model aimed squarely at the macOS threat niche,” says Moonlock.
Further, mentalpositive even offers a web-based interface for its customers, the purchasers of the Mac.c infostealer. Through this panel, buyers can generate custom builds of the stealer (to help bypass XProtect), monitor infection statistics (successful and failed attempts), and manage various details of their campaigns. It reveals everything, but how awful a person they are.
Darknet forum screenshot showing an early ad offering a subscription to Mac.c stealer updates for $1,500 per month. via Moonlock.
“The most recent post [from mentalpositive] at the time of writing outlines additional updates,” states Moonlock. “These include bypassing XProtect by generating unique builds from scratch, an expanded list of supported browsers, file grabber activation via the control panel, and most notably a separate module for phishing Trezor seed phrases.”
... continue reading