A New Mac Trojan Is on the Prowl, and It’s Cheaper Than Its Top Competitor

A new macOS trojan, emerging on the dark web under the name Mac.c, is rapidly gaining popularity and beginning to compete with one of the underground market’s most notorious threats, AMOS. Analysts at Moonlock Lab were the first to draw attention to this tool, tracing its development by a hacker known as mentalpositive. Unlike many underground authors, he openly published updates and showcased the capabilities of his code on dark web forums — a move that quickly attracted buyers to the project.

Mac.c was conceived as a streamlined alternative to AMOS, built for maximum speed in data exfiltration. The malware is capable of harvesting information from iCloud Keychain, stored browser passwords, cryptocurrency wallets, system metadata, and even documents from designated macOS directories. To achieve this, it leverages native macOS mechanisms — from AppleScript to standard APIs — enabling it to disguise itself as legitimate processes and bypass many antivirus solutions. Its discovered features include evasion of XProtect via unique build generation, a remote file grabber, and a phishing module for stealing Trezor seed phrases.

Beyond its technical arsenal, the author invested in operator convenience. The administrative panel provides infection statistics, supports custom build generation, and enables attack management. As the project evolved, new integrations were introduced, including masquerading as Ledger Live, reducing binary size for faster delivery, and lowering detection rates during static analysis.

The subscription price for Mac.c is $1,500 per month, with a standalone Trezor data theft module offered for $1,000. By comparison, AMOS costs at least $3,000 monthly, making Mac.c significantly more accessible — especially to less experienced or financially constrained cybercriminals, including so-called “traffers” who spread malware through phishing and malvertising campaigns.

Moonlock Lab confirmed the full functionality of Mac.c, having detected its samples among CleanMyMac users. It spreads under the guise of installation files with names such as Installer.dmg or Installer descrakeador adobe.dmg, often pretending to be cracked versions of popular software. While CleanMyMac managed to block the threat, researchers emphasized that its detection highlights active distribution. A code comparison between Mac.c and AMOS revealed that some features were directly borrowed, suggesting possible ties between the developers.

The attack chain relies heavily on social engineering: the victim downloads and launches a malicious file, triggering the first stage of the trojan. It then deploys AppleScript to search for sensitive data and spawns counterfeit system windows requesting a password. The credentials entered by the user are stored in plaintext and later used for further exploitation of system resources.

The malware harvests cookies, logins, and IndexedDB contents from browsers such as Chrome, Edge, Brave, and Yandex. While Safari is not yet supported, the list of targeted applications is expanding. Mac.c places particular emphasis on cryptocurrency wallets, extracting data from MetaMask, Phantom, Binance Wallet, Electrum, Exodus, Atomic, Monero, Wasabi, and Ledger Live. An additional module even masquerades as the game Innocent Witches, prompting users for a password to “save files,” which instead redirects them to a phishing site (innocentwitches[.]top).

Although Mac.c does not yet match the sophistication of AMOS, its lower cost and ease of use make it an especially dangerous threat. Moonlock Lab predicts its popularity will continue to grow, with future versions likely to incorporate expanded capabilities. Against the backdrop of rising attacks on cryptocurrency holders, Mac.c lowers the barrier to entry for a wider pool of cybercriminals seeking to profit from the theft of digital assets.

For protection, researchers advise downloading applications exclusively from trusted sources, avoiding suspicious links, keeping macOS updated, and deploying specialized security tools. Cryptocurrency holders are urged to store keys and assets on hardware wallets or in secured applications rather than within browsers.

Mac.c serves as a stark reminder that macOS can no longer be considered an invulnerable system. With active backing from the dark web community and a comparatively modest price, it may fuel a new wave of cyberattacks — with digital currencies once again as the prime target.