Cybersecurity researchers have discovered a new variant of the macOS information stealer called MacSync, which is delivered by digitally signed and notarized Swift applications disguised as messaging app installers that bypass Apple’s Gatekeeper checks.
“Unlike previous MacSync Stealer variants that primarily rely on device dragging and ClickFix-style techniques, this sample takes a more deceptive and artificial approach,” said Jamf researcher Thijs Xhaflaire.
The latest version is distributed as a code-signed and notarized Swift application in a disk image (DMG) file named zk-call-messenger-installer-3.9.2-lts.dmg hosted on zkcall, Apple’s device management and security company said.[.]Net/Download. ”
The fact that it’s signed and notarized means it can run without being blocked or flagged by built-in security controls like Gatekeeper and XProtect. Nevertheless, the installer has been found to prompt users to right-click and open the app. This is a common tactic used to circumvent such safeguards. Apple subsequently revoked the code signing certificate.
The Swift-based dropper then performs a series of checks before downloading and running the encoded script through the helper component. This includes validating internet connectivity, enforcing a minimum execution interval of approximately 3600 seconds to enforce rate limits, removing quarantine attributes and validating files before execution.
“In particular, the curl command used to retrieve the payload shows a clear departure from previous variants,” Xhaflaire explained. “Rather than using the commonly seen -fsSL combination, the flags have been split into -fL and -sS, and additional options like –noproxy have been introduced.”
“These changes, along with the use of dynamically set variables, indicate intentional changes to the method of payload retrieval and validation, possibly aimed at improving reliability or evading detection.”
Another evasion mechanism used in this campaign is the use of unusually large DMG files, which increase in size to 25.5 MB by embedding unrelated PDF documents.
Once parsed, the Base64-encoded payload corresponds to MacSync, a rebranded version of Mac.c that first appeared in April 2025. According to MacPaw’s Moonlock Lab, MacSync includes a full-featured Go-based agent that goes beyond simple data theft and enables remote command and control capabilities.
Note that code-signed versions of malicious DMG files that mimic Google Meet have also been observed in attacks propagating other macOS stealers such as Odyssey. However, as recently as last month, attackers continued to rely on unsigned disk images to deliver DigitStealer.
“This change in distribution reflects a broader trend across the macOS malware landscape, where attackers are increasingly attempting to sneak malware into signed and notarized executable files that appear to be legitimate applications,” Jamf said.
Source link
