BURSTA newly discovered macOS stealer, dubbed Mac.c, has surfaced on darknet forums, offering lightning-fast data exfiltration for just $1,500 per month.
Developed by the threat actor “mentalpositive,” Mac.c is advertised as a streamlined alternative to the established AMOS stealer, targeting credentials, crypto wallets, and system metadata with minimal footprint.
Early samples indicate that the malware leverages native macOS tools and APIs to conceal its activities, making it a significant concern for both enterprise and consumer users.
Initial reports suggest that Mac.c is already active in the wild, with detections among CleanMyMac users indicating the rapid spread of this threat.
In its marketing posts, mentalpositive emphasizes the stealer’s small binary size, evasion techniques, and user-friendly control panel for buyers.
The control panel allows operators to generate unique builds, track infections, and manage campaigns from a web interface.
Moonlock analysts noted that Mac.c’s modular design mirrors AMOS in many respects but omits some of AMOS’s more advanced features, such as extensive wallet targeting and automated keylogger integration.
The result is a faster, leaner stealer that appeals to less sophisticated criminals entering the macOS malware market.
Beyond its competitive pricing, Mac.c stands out for its use of staged communication over standard system utilities.
By invoking AppleScript and built-in command-line tools, the malware minimizes external dependencies and reduces its forensic footprint.
Moonlock researchers identified that Mac.c initiates exfiltration by spawning an AppleScript process to extract Keychain entries, then compressing and uploading the stolen data via encrypted HTTPS channels to attacker-controlled servers.
This approach not only improves stealth but also sidesteps many traditional endpoint defenses.
Early impact assessments reveal that Mac.c has already been encountered in genuine macOS environments. CleanMyMac telemetry shows multiple variants named Installer.dmg, Installer(1).dmg, and Installer descrakeador adobe.dmg, the latter masquerading as a cracked Adobe installer.
Although detections by security tools prevented full breaches, the volume of encounters underscores the malware’s active deployment phase and growing adoption among threat actors.
Infection Mechanism and Persistence
Mac.c’s infection begins with a phishing lure delivered through email or malvertising, prompting the user to download what appears to be a benign macOS installer.
Upon execution, the malware drops a launch agent into ~/Library/LaunchAgents/com.apple.update.plist, ensuring persistence across reboots.
The following snippet illustrates how Mac.c writes its persistence plist:-
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.apple.update</string>
<key>ProgramArguments</key>
<array>
<string>/usr/bin/osascript</string>
<string>/tmp/.macc.scpt</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>.webp)
Once established, the loader uses AppleScript to harvest Keychain items and browser-stored credentials, looping through a hardcoded list of supported browsers—Chrome, Edge, Brave, and Yandex.
By exploiting legitimate scripting interfaces, Mac.c maintains a low profile while delivering high-impact data theft, positioning itself as a potent threat in the evolving landscape of macOS malware.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
The post New macOS Installer Promising Lightning-fast Data Exfiltration Advertised on Dark Web appeared first on Cyber Security News.