Cybersecurity researchers have found a brand new variant of a macOS info stealer known as MacSync that is delivered via a digitally signed, notarized Swift software masquerading as a messaging app installer to bypass Apple’s Gatekeeper checks.
“In contrast to earlier MacSync Stealer variants that primarily depend on drag-to-terminal or ClickFix-style methods, this pattern adopts a extra misleading, hands-off strategy,” Jamf researcher Thijs Xhaflaire mentioned.
The Apple system administration agency and safety firm mentioned the newest model is distributed as a code-signed and notarized Swift software inside a disk picture (DMG) file named “zk-call-messenger-installer-3.9.2-lts.dmg” that is hosted on “zkcall[.]internet/obtain.”
The truth that it is signed and notarized means it may be run with out being blocked or flagged by built-in safety controls like Gatekeeper or XProtect. Regardless of this, the installer has been discovered to show directions prompting customers to right-click and open the app – a standard tactic used to sidestep such safeguards. Apple has since revoked the code signing certificates.
The Swift-based dropper then performs a collection of checks earlier than downloading and executing an encoded script by means of a helper element. This consists of verifying web connectivity, imposing a minimal execution interval of round 3600 seconds to implement a price restrict, and eradicating quarantine attributes and validating the file previous to execution.
“Notably, the curl command used to retrieve the payload reveals clear deviations from earlier variants,” Xhaflaire defined. “Slightly than utilizing the generally seen -fsSL mixture, the flags have been cut up into -fL and -sS, and extra choices like –noproxy have been launched.”
“These adjustments, together with using dynamically populated variables, level to a deliberate shift in how the payload is fetched and validated, probably geared toward enhancing reliability or evading detection.”
One other evasion mechanism used within the marketing campaign is using an unusually giant DMG file, inflating its dimension to 25.5 MB by embedding unrelated PDF paperwork.
The Base64-encoded payload, as soon as parsed, corresponds to MacSync, a rebranded model of Mac.c that first emerged in April 2025. MacSync, per MacPaw’s Moonlock Lab, comes fitted with a fully-featured Go-based agent that goes past easy information theft and permits distant command and management capabilities.
It is price noting that code-signed variations of malicious DMG information mimicking Google Meet have additionally been noticed in assaults propagating different macOS stealers like Odyssey. That mentioned, risk actors have continued to depend on unsigned disk photos to ship DigitStealer as lately as final month.
“This shift in distribution displays a broader development throughout the macOS malware panorama, the place attackers more and more try and sneak their malware into executables which are signed and notarized, permitting them to look extra like official functions,” Jamf mentioned.
