Kinda Blog by CryptoLek

mac.c macOS Stealer

On 14 March 2025, a user “mentalpositive” on XSS Forum has posted a thread advertising a new MacOS infostealer. Below is the machine translation of the user’s forum post, with minor edits by me.

Screenshot from XSS Forum. User advertises the new infostealer

mac.c macOS Stealer is a stealer for devices running the macOS operating system. Works on all system versions starting from macOS Sierra (>10.12.6). Written in C, the build weight at the time of writing the topic is ~140 KB. Both architectures are supported: x64_86, ARM. Collect cookies, passwords, autofills and history from Chromium-based browsers, device information, Telegram session, desktop cryptocurrencies and cryptocurrencies, screenshot and decrypted device keychain. And the ability to change the text in modal windows when a password is requested will make your work even more pleasant!

mac.c panel screenshots

Technical information

  1. The build is written in C from scratch, the weight of the build is currently ~140 kilobytes
  2. Both architectures are supported – x64-86, ARM (all OS versions above macOS Sierra)
  3. Log decoding happens on the server, no delays on the victim’s device
  4. All code was written by me personally from scratch and has nothing in common with other projects
  5. Stealer panel is written in PHP and deployed in Tor network for anonymity of clients
  6. Convenient autobuilder right on the panel, get unlimited builds
  7. Victim is required to enter password on startup (text in modal window changes)
  8. MacOS terminal hides after launch, everything looks legitimate at launch
  9. Builds do not work on CIS countries and there is no possibility to remove geo-lock, even for money!

Information for buyers

  1. Stealer is provided without a certificate, like all offered options in the marketplace
  2. When your subscription expires, new logs continue to arrive on the dashboard
  3. The sale is in MaaS format. You register your own profile on the shared panel

Build functionality

  • Collect passwords, cookies, history and autofills of Chromium-based browsers
  • Collection of desktop crypto wallets and browser cryptocurrencies
  • Collection and subsequent decryption of keychain with logging
  • Collection of all device information, as well as screenshot during log collection
  • Telegram messenger session collection (in the usual format)
  • Recursive collection of desktop and document files (extensions are customizable)
  • Ability to specify text in the modal window at startup
  • Ability to enable and specify a fake error after sending a log

Monthly subscription costs $1250 (price is valid until 21-03-2025, later it will be raised after a major update)

CryptoLek

, , , ,