One of the fairly popular macOS bundleware exemplars presented in this research employs techniques that any seasoned threat researcher will find ...rather amusing. Not only it employs anti-debugging, strings/API encryption, Mach-O runtime decompression techniques. Its developers went as far as embedding a full backdoor component into the installer, granting it capabilities that extend way beyond what one might expect from an installation software. The power given to the installer practically enables full control over the target system. Even if it was done so that the company behind it had 'advanced analytics' or an ability to push any third-party software it wants, what happens if this power is abused? Boasting 'millions of downloads' (whether it's true or not), this particular bundleware has potential access to a large number of Macs around the world. Given the amount of power it aggregates, it is a matter of duty for the security folks to have a closer look into this software. In this research, we'll dive into the installer's Mach-O binary to demonstrate how it piggy-backs on 'non-lazy' Objective-C classes, the way it dynamically unpacks its code section in memory and decrypts its config. An in-depth analysis will reveal the structure of its engine and a full scope of its hidden backdoor capabilities, anti-debugging, VM evasion techniques and other interesting tricks that are so typical to the Windows malware scene but aren't commonly found in the unwanted apps that claim to be clean, particularly on the Mac platform. This talk reveals practical hands-on tricks used in Mach-O binary analysis under a Hackintosh VM guest, using LLDB debugger and IDA Pro disassembler, along with a very interesting marker found during such analysis. Curious to learn what that marker was? Willing to see how far the Mac-specific techniques evolved in relation to Windows malware?