Ethical Hacking News
Researchers have discovered a new variant of the MacSync information stealer that can bypass checks from Gatekeeper, the security system in macOS. Delivered through a digitally signed, notarized Swift application within a disk image, this malware can steal sensitive data such as iCloud keychain credentials and passwords stored on web browsers.
The latest variant of MacSync is a sophisticated information stealer targeting macOS systems. The malware can bypass Gatekeeper checks, delivered through a digitally signed, notarized Swift application within a disk image. The distribution method constitutes a significant evolution from past iterations, removing the need for direct terminal interaction. The malware is delivered on the system through a dropper in encoded form, with evasion mechanisms such as inflating DMG files and performing internet connectivity checks. MacSync Stealer can steal iCloud keychain credentials, passwords, system metadata, cryptocurrency wallet data, and files from the filesystem. The malware's evolution highlights the need for users to remain vigilant with security software and updates, as well as keeping all software up-to-date.
The latest variant of the MacSync information stealer targeting macOS systems has been discovered by security researchers, and it's more sophisticated than ever. Delivered through a digitally signed, notarized Swift application within a disk image, this malware can bypass checks from Gatekeeper, the security system in macOS.
According to Jamf, a device management platform that specializes in Apple products, the distribution method of the latest MacSync variant constitutes a significant evolution from past iterations. The previous versions used less sophisticated tactics such as "drag-to-Terminal" or ClickFix to deliver the malware. However, this new variant removes the need for any direct terminal interaction.
The malware is delivered on the system through a dropper in encoded form. After decoding the payload, researchers discovered the usual signs of the MacSync Stealer, including several evasion mechanisms such as inflating the DMG file to 25.5MB by embedding decoy PDFs, wiping the scripts used in the execution chain, and performing internet connectivity checks before execution to evade sandboxed environments.
The stealer emerged in April 2025 as Mac.C by a threat actor named 'Mentalpositive'. It gained traction by July, joining the less crowded but still profitable space of macOS stealers alongside AMOS and Odyssey. A previous analysis of Mac.C by MacPaw Moonlock indicates that it can steal iCloud keychain credentials, passwords stored on web browsers, system metadata, cryptocurrency wallet data, and files from the filesystem.
Interestingly, in an interview with researcher g0njxa in September, the malware author stated that the introduction of a tighter app notarization policy in macOS 10.14.5 and later had the strongest influence on their development plans, which is reflected in the latest versions caught in the wild.
The fact that this new variant can bypass Gatekeeper checks highlights the need for users to remain vigilant when it comes to security software and updates. It also underscores the importance of keeping all software up-to-date, including the operating system itself.
In addition, the discovery of this malware serves as a reminder of the ongoing cat-and-mouse game between cybersecurity professionals and threat actors. As new vulnerabilities are discovered and patched, threat actors adapt and evolve their tactics to evade detection.
The latest MacSync variant is a prime example of this evolution. Its sophisticated evasion mechanisms make it more difficult for security software to detect and remove. However, by staying informed about the latest threats and taking proactive steps to secure your systems, you can reduce the risk of falling victim to malware like this.
In conclusion, the discovery of the new MacSync variant serves as a wake-up call for macOS users. It highlights the need for continued vigilance when it comes to security software and updates, as well as the importance of staying informed about the latest threats and adapting to emerging trends in cybersecurity.
Related Information:
https://www.ethicalhackingnews.com/articles/New-MacSync-Malware-A-Sophisticated-Information-Stealer-Evades-macOS-Gatekeeper-Checks-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-macsync-malware-dropper-evades-macos-gatekeeper-checks/
https://www.securityweek.com/macsync-macos-malware-distributed-via-signed-swift-application/
Published: Wed Dec 24 04:41:37 2025 by llama3.2 3B Q4_K_M
