Mac.c Emerges as a Rising Threat to macOS Infostealer Market, Competing with AMOS

A new macOS infostealer, Mac.c, has emerged, rivaling the popularity of AMOS. Believed to be of Russian origin, the malware developer "mentalpositive" has shared progress updates and asked for feedback on the infostealer, which has been optimized for rapid data exfiltration. The malware's web-based interface allows customers to generate custom configurations, signaling a potential shift towards a stealer-as-a-service business model.

A new macOS infostealer, Mac.c, has emerged, challenging the dominance of Atomic macOS Stealer (AMOS) in the Apple ecosystem. Developed by a Russian-originated entity known as "mentalpositive," Mac.c has gained traction through its methodical approach and transparency in development. This article explores the origins, capabilities, and implications of Mac.c, highlighting its potential impact on the broader macOS threat landscape.

Origins and Development

Believed to be of Russian origin, "mentalpositive" has been active for approximately four months, during which time Mac.c has already begun to rival larger, more established infostealers like AMOS. The malware developer has shared progress updates and sought feedback on previous builds, an unusual practice in the typically secretive world of malware development [1].

Technical Capabilities

Mac.c shares code-level similarities with AMOS and Rodrigo4 but has been optimized for rapid, high-impact data exfiltration. By trimming down the binary, the malware downloads faster and leaves fewer static artifacts, making it harder to detect during analysis. An increasing number of URLs were also found being added in each update, suggesting its command-and-control infrastructure is part of a larger operation.

Business Model and Interface

Mentalpositive offers a web-based interface for its customers, allowing them to generate custom builds of the stealer, monitor infection statistics, and manage various details of their campaigns. This reveals a potential shift towards a stealer-as-a-service business model, aimed squarely at the macOS threat niche [1].

Impact on the macOS Ecosystem

The macOS malware market remains less prolific than its Windows counterpart, but it is becoming increasingly popular among cybercriminals. Apple's growing market share, with shipments outpacing all PC makers in the United States during the final quarter of 2024, has made the platform a lucrative target. Infostealers, in particular, have overtaken adware as the dominant form of malware, accounting for 28.36% of all Mac malware detected [1].

Protection Measures

Apple pre-installs various security measures to protect users, but they may not be enough. Users are advised to do their due diligence before installing anything outside the official Mac App Store, hover over and confirm links before opening them, use strong, complex passwords and 2-step authentication, exercise caution when granting permissions, and keep devices and applications up-to-date.

Conclusion

The emergence of Mac.c signals a new era in the macOS infostealer landscape. Its methodical development, transparency, and potential stealer-as-a-service business model pose significant challenges to Apple's security measures. As the platform's popularity continues to grow, so too will the threat landscape, necessitating heightened vigilance and robust protection measures.

References:

[1] https://9to5mac.com/2025/08/16/security-bite-mac-c-is-shaking-up-the-macos-infostealer-market-rivaling-amos/