In the shadowy corners of cybercrime, a new contender is emerging to challenge the dominance of established malware tools, signaling a shift in how hackers target Apple’s ecosystem. The infostealer known as Mac.c, developed by a threat actor using the alias “mentalpositive,” is rapidly gaining traction among cybercriminals, positioning itself as a budget-friendly alternative to the notorious Atomic macOS Stealer (AMOS). According to a recent analysis by cybersecurity firm Moonlock, Mac.c borrows heavily from AMOS’s playbook but undercuts it on price, offering subscriptions as low as $100 per month compared to AMOS’s $1,000 entry fee. This pricing strategy is drawing in smaller operators and affiliates, potentially democratizing access to sophisticated macOS attacks.

Moonlock’s deep dive, published on HackerNoon, reveals that Mac.c employs a multi-stage infection process, starting with phishing lures disguised as legitimate software like CleanMyMac or Notion. Once installed, it deploys AppleScript to harvest credentials from browsers, cryptocurrency wallets, and system files, exfiltrating data to attacker-controlled servers. The malware’s evolution includes code reuse from AMOS, but with tweaks for evasion, such as dynamic command-and-control domains.

The Rise of Budget Malware in a Competitive Market

This development comes amid a broader surge in macOS-targeted threats, as Apple’s growing enterprise adoption makes its users lucrative targets. A report from SC Media noted a 101% jump in infostealer detections on macOS in the latter half of 2024, driven by variants like Mac.c that exploit user trust in familiar apps. Security researchers at Jamf have observed a 28% spike in such malware among Mac users this year, attributing it to the proliferation of malware-as-a-service (MaaS) models that lower barriers for entry-level hackers.

Posts on X from cybersecurity accounts, including those from Moonlock Lab, highlight Mac.c’s “building in public” approach, where the developer shares updates on underground forums, fostering a community around its affordability. This mirrors trends seen in other MaaS offerings, but Mac.c’s focus on macOS exclusivity sets it apart, rivaling AMOS not just in functionality but in market penetration.

Evolving Tactics and Enterprise Vulnerabilities

What makes Mac.c particularly insidious is its persistence mechanisms, including backdoor capabilities for ongoing access, as detailed in a Bleeping Computer analysis of similar AMOS variants. In enterprise settings, where Macs are increasingly common, this poses significant risks: stolen credentials can lead to broader network breaches, data exfiltration, or ransomware follow-ups. Intel 471’s blog from last year presciently warned of rising macOS threats due to Apple’s market share, a trend now accelerating into 2025.

Defenders are responding with updated detection rules, but the malware’s low cost could fuel an arms race. Flashpoint analysts, in their July post on Flashpoint, emphasize common tactics like social engineering and urge multi-layered defenses, including behavioral monitoring and endpoint protection tailored for macOS.

Implications for Users and the Broader Threat Ecosystem

For individual users, the advice is straightforward: avoid unsolicited downloads and enable Apple’s Gatekeeper strictly. Yet, as 9to5Mac reported just hours ago, Mac.c’s rivalry with AMOS underscores a maturing underground economy where innovation thrives on competition. Recent X posts from accounts like All Apple News echo this, noting how Mac.c is “shaking up” the scene by offering AMOS-like features at a fraction of the price.

Looking ahead, experts predict this could lead to more customized variants, blending infostealing with other payloads. SentinelOne’s 2024 malware review, accessible via SentinelOne, catalogs similar families and stresses proactive hunting. As cybercrime evolves, Mac.c exemplifies how affordability can amplify threats, compelling organizations to rethink macOS security as a first-class priority rather than an afterthought.

Defensive Strategies and Future Outlook

To counter this, industry insiders recommend integrating threat intelligence feeds that track MaaS developments, such as those from Cyooda Security, which dissected a highly malicious macOS infostealer in June. Combining this with user education and zero-trust architectures could mitigate risks. Meanwhile, the leak of related malware source codes, as shared on X by vx-underground regarding Banshee Stealer, illustrates the volatile nature of these tools—shutdowns breed new iterations.

Ultimately, Mac.c’s ascent reflects a pivotal moment: macOS is no longer a safe haven. With threats like PSW.Agent topping detections in regions like the Czech Republic, per Letem svetem Applem’s August report, vigilance is key. As 2025 unfolds, tracking these rivalries will be crucial for staying ahead in an ever-intensifying cyber battleground.