cyberstorehut security byte exclusively brings you Mosyle, the only Apple integrated platform. Simply work your Apple device and create an enterprise safe. Our unique integrated approach to management and security combines fully automated hardening and compliance, next-generation EDR, AI-powered Zero Trust, and cutting-edge Apple-specific security solutions for exclusive privilege management with the most powerful and modern Apple MDM on the market. As a result, the fully automated Apple Unified platform, currently trusted by over 45,000 organizations, can make millions of Apple devices function at an affordable cost. Request an extension test Understand why Mosil is everything you need to work with Apple today.
Since it rose to prominence in 2023, Amos (Atomic Macos Stealer) has Most notorious Infostealers targeting the Apple ecosystem. Designed to quietly pull any kind of sensitive information from the MACOS system, malware is a well-known name among security researchers, journalists and even victims.
But now, MacPaw’s cybersecurity arm, MoonLock, says he’s tracking new threat actors at Infostealer, which has gained popularity in the veiled corner of the Darknet forum. This week’s Security Bite will explain this interesting new and new threat and how it will shake up the wider Makos landscape.
The Newcomer Malware developer, thought to be of Russian origin, is under the alias “MentalPositive” along with “MentalPositive”, an infostealer packaged as Mac.C. According to MoonLock in a Hackernoon blog post, MentalPositive has only been active for around four months, but “Mac.C is already competing with more and more established steeler operations like the Atomic Macos Stealer.”
It appears to be very popular for a more systematic and unusually transparent approach to mentally positive tests to be constructed in public spaces. The malware developer has shared progress updates and asked for feedback on previous Mac.C builds. This is something that is rarely seen in the secret world of malware development. We can all cross crowdsourced malware from 2025 bingo cards…
Technically, Mac.C shares code-level similarities with AMOS and Rodrigo4, but is optimized for rapid, impactful data removal. By trimming the binary, malware downloads faster, there are fewer static artifacts, making it difficult to detect during analysis. We see an additional number of URLs added to each update, suggesting that its command and control infrastructure is likely to be part of a larger operation.
“This kind of advertising could indicate an intention to increase visibility and open up a clear market presence. It also seems to lay the foundation for Macos’ business model as a custom steeler as a service aimed at the threat niche,” says MoonLock.
Additionally, Mental Positive provides a web-based interface for customers who are Mac.C Infostealer buyers. Through this panel, buyers can generate custom builds of steelers (to bypass Xprotect), monitor infection statistics (successful and failed attempts), and manage various details of the campaign. It reveals everything, but how awful they are.
“The latest posts at the time of writing (from mental positives) provide an overview of additional updates,” says Moonlock. “These include bypassing Xprotect by generating unique builds from scratch, an extended list of supported browsers, activation of file grabbers via the control panel, and other separate modules for phishing Trezor seed phrases.”
The wider Macau threat landscape
The MacOS malware market remains much smaller than its Windows counterparts, but this segment is becoming increasingly popular among cybercriminals. The reason is simple: popular. MAC shipments saw all US PC manufacturers rise in the last quarter of last year, up 25.9% year-on-year. According to research firm Canalys, Apple’s overall computer (non-table) market share is currently around 17.1%.
This is blood in the water. The MacOS threat market is increasingly advantageous for commercially ambitious malware developers looking to take advantage of new users coming to the platform. Both enterprises and personal Mac users are at a loss in record rates despite efforts to make it difficult for Apple to override GateKeeper and use Xprotect to enhance it.
Infostealers, specifically, continues to be popular for many reasons. Infostealers actually outperforms adware as the dominant form of malware observed by JAMF, accounting for 28.36% of all detected MAC malware.
Why is it becoming more popular?
This is because its accessibility and low barriers to entry. Cybercriminals like mentally positive, for example, are increasingly running malware as a service (MAAS) businesses. This is where malware developers create and maintain tools such as Infostealers and rent to affiliates with few technical skills. Affiliates get ready-made malware packages and oversee the person they like.
Other contributors include quick payments for attacks such as ransomware.
How to protect against Infostealers
Apple pre-installs many valuable background services on every Mac to protect users from the horrors that lurk on the Internet, but in many cases these aren’t enough.
You may already know many of these tips, but I think it’s important to reflux again for the public.
- Do due diligence before installing anything outside the official Mac App Store
- Check across the link before opening them
- Uses strong, complex passwords and two-stage authentication (non-SMS, OTP is best if possible)
- Notes when granting permission to a Mac
- Keep your devices and applications up to date
Check out MoonLock’s full MAC.C breakdown on Hackernoon.
fOllow: Twitter/xLinkedIn, Thread
(TagStoTRASSLATE) Security Byte
