MacSync Stealer’s New Tricks: How macOS Malware Is Getting More Sophisticated

CyberDefender 8 mins0

In the ever-changing landscape of cybersecurity threats, macOS users have long believed their systems to be relatively secure — but that confidence is increasingly being challenged. A recently uncovered evolution in a piece of malware known as MacSync Stealer shows how attackers are adapting to bypass built-in protections and trick users into installing harmful software.

Originally emerging in 2025, MacSync Stealer began as a typical infostealer — malware designed to harvest sensitive data from infected machines. Early versions relied heavily on social engineering techniques that coax users into manually executing malicious scripts, often through prompts like “drag this into Terminal” or similar ClickFix-style tricks.

But the latest variant marks a significant shift in both delivery and deception.

From Manual Execution to a Sleek Installer

What makes this new strain particularly concerning is how it arrives on a victim’s Mac. Instead of requiring users to open Terminal and run commands, attackers now distribute the malware inside a seemingly legitimate macOS application — complete with Apple’s own code-signing and notarization.

This executable is packaged within a disk image (a .dmg file) that pretends to be a trusted app installer — for example, something like “zk-call messenger.” Once opened, the app silently downloads an encoded script from a remote server and runs it in the background using a helper component built in Swift.

Because the app is code-signed and notarized, it initially appears legitimate to macOS Gatekeeper, Apple’s defense mechanism against untrusted apps. This allows the malware to evade the first layer of warning messages that would normally alert users to danger.

1. Initial Delivery & Packaging

The infection chain begins with a disk image (DMG) distributed through phishing, fake software portals, or impersonated collaboration tools. The DMG typically contains:

  • A signed and notarized macOS application bundle
  • One or more decoy files (often PDFs or unrelated documents)
  • No obvious malicious scripts exposed to the user

The notarization gives the installer an immediate trust advantage, allowing it to pass Gatekeeper checks without warnings.

2. Signed Swift Application (Dropper Layer)

At the core of the attack is a Swift-based macOS application acting as a dropper. This binary is lightweight and intentionally minimal to avoid static detection.

Key characteristics:

  • Compiled in Swift to blend with legitimate macOS apps
  • Uses native macOS APIs (no obvious exploits)
  • Contains no hard-coded payload

When launched, the app performs silent initialization without presenting a functional UI.

3. Environment & Execution Checks

Before proceeding, the installer performs basic validation to reduce noisy failures and sandbox analysis:

  • Confirms network connectivity
  • Verifies it is running on a real user system
  • Confirms user execution context (not root)

If checks fail, execution halts quietly.

4. Remote Payload Retrieval

Instead of embedding the malware directly, the installer fetches the real payload at runtime:

  • Connects to a remote command server
  • Downloads a Base64-encoded script
  • Payload is never written directly to disk in decoded form

This reduces forensic artifacts and signature-based detection.

5. In-Memory Decoding & Execution

Once downloaded:

  1. The script is decoded in memory
  2. Executed using native shell or scripting interfaces
  3. No visible Terminal window is shown to the user

This stage transitions from the dropper to the MacSync Stealer core.

6. Persistence (Variant-Dependent)

Depending on the campaign, persistence may be achieved via:

  • Launch Agents (~/Library/LaunchAgents)
  • Login item registration
  • Background execution through helper binaries

Not all samples establish persistence immediately, suggesting modular deployment.

7. Data Collection & Exfiltration

Once active, the stealer focuses on credential and session theft, including:

  • Browser data (cookies, saved credentials, autofill)
  • User tokens and session artifacts
  • System profiling information

Collected data is staged and transmitted back to attacker-controlled infrastructure over HTTPS.

Indicators of Compromise (IOCs)

SHA256:be961ec5b9f4cc501ed5d5b8974b730dabcdf7e279ed4a8c037c67b5b935d51a
SHA256:4ae745bc0e4631f676b3d0a05d5c74e37bdfc8da3076208b24e73e5bbea9178f
SHA256:ecfaa20f25e11878686249c7094706bc3dcd2dc0ace0f2932a39d1bfdac85863
SHA256:7cfe0b119e616ac81ddb1767a5c7f40bec67d91fdd66e53490c0225789537073
SHA256:06c74829d8eee3c47e17d01c41361d314f12277d899cc9dfa789fe767c03693e
SHA256:c4d3e5cdb264eded917cd61b8131c40715c0ee3f4d2c94c84d60fa295ca4ed97
SHA256:9990457feac0cd85f450e60c268ddf5789ed4ac81022b0d7c3021d7208ebccd3
SHA256:9d43e059111460c4f81351a062fb7eb7dbfd34988a06d756c7206f330c06cb42
SHA256:2e671bd9673d174de9b4ad8fd03049859e1d2d17ac9bc49ecc5d736505002937

What It Means for macOS Users

The evolution of MacSync Stealer reflects a broader trend: attackers are increasingly finding ways to blend in with legitimate software to bypass safeguards like Gatekeeper and notarization. What was once a visible red flag — a script prompting a user to open Terminal — has now become a polished, hands-off installation process.

CyberDefender