The builders of a macOS malware named MacSync Stealer have up to date their supply mechanism, eliminating the necessity for direct terminal interplay, Jamf studies.
The MacSync Stealer emerged roughly half a yr in the past, as a rebrand of Mac.c, a macOS data stealer that was first seen in April 2025.
Mac.c was an affordable various to established macOS stealers, and was acquired by a malware developer who shortly expanded its capabilities and turned it right into a distinguished menace.
Along with the information-stealing capabilities inherited from Mac.c, MacSync Stealer was retrofitted with backdoor capabilities by way of a fully-featured Go-based agent.
Much like most macOS infostealers, it relied on social engineering methods, resembling ClickFix, to trick customers into executing malicious scripts, resulting in an infection.
A lately noticed pattern, nonetheless, eliminates this step, taking a extra direct, hands-off strategy, Jamf says.
The stealer’s operators packed the malware’s dropper as a code-signed and notarized Swift utility inside a disk picture masquerading as a zk-Name messenger installer.
“The dropper retrieves an encoded script from a distant server and executes it by way of a Swift-built helper executable,” Jamf explains.Commercial. Scroll to proceed studying.
The identical distribution method, the cybersecurity agency notes, has been adopted by the Odyssey infostealer household as effectively.
Evaluation of MacSync Stealer’s new an infection chain revealed a layered, evasive dropper routine targeted on stealth and persistence, which incorporates environmental checks, community requests, Gatekeeper evasion, and validation.
MacSync Stealer began showing in detections in mid-2025, however contaminated a whole lot of machines comparatively quick.
“This shift in distribution displays a broader pattern throughout the macOS malware panorama, the place attackers more and more try and sneak their malware into executables which are signed and notarized, permitting them to look extra like reliable purposes,” Jamf notes.
Associated: ClickFix Assaults Towards macOS Customers Evolving
Associated: Apple Updates iOS and macOS to Forestall Malicious Font Assaults
Associated: New XCSSET macOS Malware Variant Hijacks Cryptocurrency Transactions
Associated: Widespread Infostealer Marketing campaign Focusing on macOS Customers
