Why your Mac is next: how amateur data stealers became a business

If you’ve ever felt like cybersecurity reads more like a spy novel than a manual, you’re not wrong. In my day job as a malware researcher at Moonlock, a cybersecurity division of MacPaw, I spend a lot of time tracing the plot lines: who’s targeting whom, what they want and how they get it. The macOS chapter used to be short and a little boring. Not anymore. In the last couple of years, we’ve watched hobby projects evolve into polished crimeware aimed squarely at everyday Mac users. The old comfort phrase, that “Macs don’t get malware” is now more of a historical quote than a safety rule.

Intrigued?
Check out this session at JNUC.

What changed? First, the volume. In our own telemetry, one of the families we track, AMOS, spiked dramatically, jumping by roughly 300% in just a single month.

How to read the AMOS anomaly chart: the blue line shows AMOS detections among CleanMyMac users and the yellow line is the moving-average baseline with a tolerance corridor (a few-percent band we allow for normal swings). When the blue series exceeds or falls short of the tolerance, we flag an anomaly rather than routine variance. In this plot, August clearly breaches the corridor, matching what users felt anecdotally: more pop-ups, more fake updaters and more “just-click-here” moments than usual.

Counting malware detections

You can see that acceleration in the following detection charts. AtomicStealer malware (AMOS) hums along for months and then rockets in late summer, with tens of thousands of detections in August 2025 alone. That’s what a successful affiliate push looks like once distribution and lures align.

Odyssey malware tells a different story: a spring peak followed by a gradual cooldown with thousands affected overall, typical of infrastructure getting burned by published indicators, lure fatigue or traffers rotating to competitive kits.

The Mentalpositive (Mac.C / MacSync) threat actor is a newcomer, with hundreds of detections and an on-ramp that matches what we saw in tracking: it entered the market in April (the same month we started hunting it), but real-user detections didn’t appear until July. Looking at the chart below we can see a gap which is the boot-up period where a seller finds clients, tunes delivery and scales the campaign.

Taken together, AMOS clearly holds the largest share in this slice of the market.

Geographical distribution

Geography reinforces the point. The heat maps add useful context about where these families land. AMOS is truly global, blanketing most regions and showing up even across large parts of Africa, consistent with a wide affiliate network and many lure variants.

Odyssey infostealer is wide but more concentrated, with a strong presence in the United States, Western Europe and South/East Asia.

Mentalpositive malware is clustered: it lights up only a handful of countries at first, with Ukraine appearing early and a modest expansion to Western Europe, the U.S. and Australia as the operation finds its footing.

Rolling all families up, the United States consistently sits at the top. In Europe, France and Germany lead, India and China anchor Asia, and in Latin America, Argentina (and to a lesser extent Brazil) shows prominently in AMOS campaigns.

As with the bar charts, treat the maps as directional: coverage reflects both attacker reach and where we have visibility.

Consequently, we need to admit that macOS has moved from a niche “vegan option” for cybercrime to the main course, and criminals now see a prime target with worthwhile returns. The lone-wolf script-kiddie stereotype doesn’t describe what we’re facing. Mac malware has matured into a real product category, built by developer groups that advertise, take “feature requests” and ship updates.

Examining the cybercrime ecosystem

Let’s take a look at the cybercrime ecosystem behind the numbers:

The pyramid above summarizes the business flow that powers malware campaigns. At the base, developer teams sell ready-made stealer kits on underground markets, often $1000 – $3000 per license.

Buyers and traffers purchase and distribute those kits at scale via malvertising, SEO-poisoned results, fake updaters and cracked-app sites. Once a victim runs the payload, the malware steals data (passwords, cookies, wallets, IDs, documents) and, in many cases, drains crypto or packages everything into resellable “logs.”

Those logs are then sold for the price of a coffee on forums and marketplaces. That low price tag is not a sign of low value, it’s a sign of scale. Logs are commodities now, bought and resold by the thousands, fueling a second market of fraud and impersonation.

At the top of the pyramid are more sophisticated, state-sponsored actors that may buy identities and use them to quietly infiltrate companies, piggybacking on stolen identities to spy, move laterally or profit. In other words: this isn’t a single hacker, it’s a supply chain where each layer makes the next one profitable. When distribution gets burned or a lure stops converting, traffers swap tactics. When defenders raise the price of data theft, operators update the kit. That’s why campaigns pulse and shift and why user habits that block the earliest step (downloading and running the payload) have an outsized impact.

The evolution of infostealers

Talking about the technical side, the stealer families themselves have grown up as well. The early “grab-whatever-you-can” builds have given way to kits that detect sandboxes and virtual machines. Recent variants even add new persistence logic inside a function named installBot, which sets up durable access after the first run.

If you want a deeper technical dive into how stealers add backdoor and persistent-access features, we published a focused write-up here: Atomic macOS Stealer now includes a backdoor for persistent access.

Some macOS malware even hunt security tools first, scanning for and attempting to terminate well-known Objective-See Foundation’s utilities from Patrick Wardle, such as LuLu (outbound firewall), BlockBlock (persistence monitor), and KnockKnock (persistence enumerator).

Good habits help prevent malware infiltration

Anyway, still on macOS most compromises start with a moment of misplaced trust: clicking a persuasive ad, accepting an “urgent update” or following a copy-paste Terminal command from a site you’ve never heard of. If you verify downloads at the source, pause on pressure tactics, and treat long-tail requests for extra permissions with skepticism, you eliminate a surprising number of on-ramps. That’s the theme our team pushed hardest in the room: small, consistent habits outcompete elaborate defenses you’ll never maintain.

The human cost of doing nothing isn’t abstract. When a log of your life ends up for sale, it’s not just the money. It’s the broken trust that follows: messages sent in your name, decisions nudged in your workplace by someone who shouldn’t be there, a sense that your computer is no longer your space. That’s why we keep talking about this. Whether we’re protecting a billion-dollar brand or a $200 wallet, the line from “one careless download” to “someone else has the keys” is uncomfortably short.

If you couldn’t make the session, I hope this write-up gives you the picture: macOS is an attractive target because there’s value on the endpoint and there’s now an industry that knows how to extract it. But we’re not powerless, and you’re not alone. At Moonlock we’re doubling down on prevention and on a community model that shares real-world signals quickly. If you see a new lure, a look-alike download flow, or a suspicious login item, bring it to us; we’ll compare notes, trade insights and credit contributors. That’s how we turn isolated incidents into early warnings for everyone.

If you want to collaborate on analysis, co-publish research, or just sanity-check something you found, reach us on X at @moonlock_lab. More about our work is at moonlock.com.