Hacking

MacSync Returns: Signed macOS Stealer Slips Past Gatekeeper

Published  ·  4 min read

Researchers specializing in cyber security have found a new version of MacSync, an information-stealing application for Macs, which has been created using the Swift programming language. This version of MacSync pretends to be a legitimate installer for a messaging application and is delivered via a digital signature and notarization from Apple.

While previous versions of MacSync primarily utilized social engineering tactics such as drag and drop to Terminal and ClickFix-like execution methods, this newest version appears more refined, using Apple's own trust mechanisms as part of its process. Therefore, MacSync can bypass Gatekeeper and other built-in security features with little interaction from the user.

According to Jamf, this malware is served within a disk image file called "zk-call-messenger-installer-3.9.2-lts.dmg.", which was placed on a fake website designed to look like it was representing a legitimate messaging platform. Once installed on the user's computer, this application is treated by macOS as though it were a trusted piece of software since it has been code-signed and notarized by Apple.

That being said, this installer still instructs users to right-click and manually launch the application, which is typically used by cybercriminals when they want to eliminate any friction in cases where automated checks have failed. Although Apple has since revoked the signing certificate associated with this malware, the example demonstrates an opportunity for cybercriminals to misuse Apple's notarization processing system temporarily.

Execution and Evasion Techniques
If a Swift-based dropper is initiated, it will first conduct a number of checks before it delivers its primary payload: It will check to ensure that the internet connection is functioning, it will enforce a one-hour delay in the execution of the final payload so as to avoid the dropper being tended to rapidly, it will remove any quarantine attributes from the file and it will verify the downloaded file against a known hash before executing it.

In addition to this change to the payload fetch process, researchers have also noted several changes in the curl command that has been used by the drops to fetch the payload of the target script. These changes include modified flags and the addition of dynamic variables assigned to the curl options. This indicates that the leaks of payload data are an attempt to evade detection and improve the consistency of payload delivery in different environments.

One other unique method used to evade detection is the above-average size of the DMG file (more than 25 MB). The DMG file has been padded with additional data in PDF format, which will likely be done to create the appearance of normality and to assist the dropper while it is performing automated scans for suspected dropper files.

Capabilities of MacSync
Upon decoding the Base64-encoded payload, MacSync was confirmed as a rebranding of Mac.c, an evolution of the Mac.c malware family that was originally observed in 2025. Researchers found that MacSync is not simply an information stealer, but far more than that.

MacSync includes a Go-based agent that has the ability to perform remote command execution, maintain a persistent connection back to a command-and-control server, and allow flexible tasking, going beyond data theft alone. Therefore, we would consider MacSync to be a modular backdoor rather than just a credential harvester.

Many macOS malware campaigns are making use of signed DMG images to the same extent as well, including campaigns that have been seen using signed DMGs to impersonate Google Meet installers to deliver credential stealing malware such as Odyssey. Although there are still many threat actors using only unsigned images, the continued increase in the use of signed and notarized malware indicates a larger trend in the shift of macOS threat activity.

Thus as attackers utilize Apple's trust model as a way to conceal their activities, the expectation that any signed application is fundamentally safe is no longer reasonable. The MacSync campaign serves as an important reminder of the necessity for organizations to implement behavioral monitoring, to use strict application allowlisting or allowlist-based application controls, and to raise user awareness about the rise in signs of macOS threats, even on historically considered secure platforms.

Source: The Hacker News

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067