Cybersecurity researchers have found a brand new variant of a macOS info stealer referred to as MacSync that is delivered by the use of a digitally signed, notarized Swift software masquerading as a messaging app installer to bypass Apple’s Gatekeeper checks.
“Not like earlier MacSync Stealer variants that primarily depend on drag-to-terminal or ClickFix-style strategies, this pattern adopts a extra misleading, hands-off strategy,” Jamf researcher Thijs Xhaflaire stated.
The Apple gadget administration agency and safety firm stated the most recent model is distributed as a code-signed and notarized Swift software inside a disk picture (DMG) file named “zk-call-messenger-installer-3.9.2-lts.dmg” that is hosted on “zkcall[.]internet/obtain.”
The truth that it is signed and notarized means it may be run with out being blocked or flagged by built-in safety controls like Gatekeeper or XProtect. Regardless of this, the installer has been discovered to show directions prompting customers to right-click and open the app – a typical tactic used to sidestep such safeguards. Apple has since revoked the code signing certificates.
The Swift-based dropper then performs a collection of checks earlier than downloading and executing an encoded script via a helper part. This consists of verifying web connectivity, imposing a minimal execution interval of round 3600 seconds to implement a fee restrict, and eradicating quarantine attributes and validating the file previous to execution.
“Notably, the curl command used to retrieve the payload reveals clear deviations from earlier variants,” Xhaflaire defined. “Relatively than utilizing the generally seen -fsSL mixture, the flags have been cut up into -fL and -sS, and extra choices like –noproxy have been launched.”
“These adjustments, together with the usage of dynamically populated variables, level to a deliberate shift in how the payload is fetched and validated, probably aimed toward bettering reliability or evading detection.”
One other evasion mechanism used within the marketing campaign is the usage of an unusually giant DMG file, inflating its dimension to 25.5 MB by embedding unrelated PDF paperwork.
The Base64-encoded payload, as soon as parsed, corresponds to MacSync, a rebranded model of Mac.c that first emerged in April 2025. MacSync, per MacPaw’s Moonlock Lab, comes fitted with a fully-featured Go-based agent that goes past easy information theft and allows distant command and management capabilities.
It is price noting that code-signed variations of malicious DMG information mimicking Google Meet have additionally been noticed in assaults propagating different macOS stealers like Odyssey. That stated, menace actors have continued to depend on unsigned disk photos to ship DigitStealer as lately as final month.
“This shift in distribution displays a broader development throughout the macOS malware panorama, the place attackers more and more try and sneak their malware into executables which can be signed and notarized, permitting them to look extra like respectable purposes,” Jamf stated.
