Ethical Hacking News
A new variant of the MacSync information stealer has been discovered by cybersecurity researchers, using a digitally signed and notarized Swift application to bypass Apple's Gatekeeper security measure. This malware distribution method represents a significant threat to Mac users' privacy and security, highlighting the need for regular updates and vigilance in maintaining a secure posture.
Cybersecurity researchers have uncovered a new variant of MacSync, a malware designed to steal sensitive data from Mac users. The malware is distributed through a digitally signed and notarized Swift application masquerading as a messaging app installer, bypassing Apple's built-in security measures. The malware includes evasion mechanisms such as internet connectivity verification, rate limiting, and dynamically populated variables to evade detection. The malware uses an unusually large DMG file (25.5 MB) with embedded PDF documents to make it harder for security tools to detect and block. The Base64-encoded payload corresponds to MacSync, a rebranded version of Mac.c with remote command and control functionality.
In a recent discovery, cybersecurity researchers have uncovered a new variant of the MacSync information stealer, a malware designed to steal sensitive data from Mac users. The latest version of this malware is distributed through a digitally signed and notarized Swift application masquerading as a messaging app installer, thereby bypassing Apple's built-in security measures, including Gatekeeper.
The malware is delivered via a disk image (DMG) file named "zk-call-messenger-installer-3.9.2-lts.dmg" that is hosted on the "zkcall[.]net/download" domain. This DMG file is signed and notarized, making it difficult for security controls like Gatekeeper or XProtect to detect and block it.
Despite being signed and notarized, the installer displays instructions prompting users to right-click and open the app - a common tactic used by attackers to sidestep security safeguards. Following this click, the Swift-based dropper performs a series of checks before downloading and executing an encoded script through a helper component.
The malware includes several evasion mechanisms, such as verifying internet connectivity, enforcing a minimum execution interval of around 3600 seconds to enforce a rate limit, removing quarantine attributes, and validating the file prior to execution. The malware also uses dynamically populated variables to improve its reliability and evade detection.
Another notable evasion mechanism used in this campaign is the use of an unusually large DMG file, which inflates its size to 25.5 MB by embedding unrelated PDF documents. This tactic can make it harder for security tools to detect and block the malware.
The Base64-encoded payload, once parsed, corresponds to MacSync, a rebranded version of Mac.c that was first observed in April 2025. MacSync comes fitted with a fully-featured Go-based agent that offers capabilities beyond simple data theft, including remote command and control functionality.
It is worth noting that similar tactics have been employed by attackers in the past, such as delivering malware through code-signed versions of malicious DMG files mimicking Google Meet. However, the latest MacSync variant uses a more sophisticated approach to bypass security controls and evade detection.
The shift in distribution methods reflects a broader trend across the macOS malware landscape, where attackers are increasingly attempting to sneak their malware into executables that are signed and notarized, making it harder for security tools to detect them.
According to Jamf researcher Thijs Xhaflaire, "Unlike earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix-style techniques, this sample adopts a more deceptive, hands-off approach." This highlights the evolving tactics used by attackers in the macOS malware landscape and the need for security professionals to stay vigilant and adapt their defenses accordingly.
The fact that Apple has since revoked the code signing certificate of the malicious DMG file underscores the importance of regular updates and vigilance in maintaining the security posture of Mac users. It also serves as a reminder to security professionals to closely monitor emerging threats and adjust their strategies to counter them effectively.
In conclusion, the latest MacSync variant represents a significant threat to Mac users' privacy and security. Its use of digitally signed and notarized malicious code makes it harder for security controls to detect and block. As such, it is essential for security professionals to stay informed about emerging threats like this and to take proactive measures to protect their users from these types of attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/New-MacSync-macOS-Stealer-Uses-Signed-App-to-Bypass-Apple-Gatekeeper-A-Threat-to-Mac-Users-Privacy-ehn.shtml
https://thehackernews.com/2025/12/new-macsync-macos-stealer-uses-signed.html
Published: Wed Dec 24 15:23:57 2025 by llama3.2 3B Q4_K_M
