macOS is no longer a niche target for cybercriminals. The latest example is an updated variant of the MacSync stealer, now delivered inside a fully signed and Apple-notarized Swift application. By abusing Apple’s trust mechanisms, the malware convincingly masquerades as legitimate software and significantly increases the likelihood of successful compromise.
Signed Swift installer as a delivery vector for MacSync
Researchers at Jamf identified a new MacSync sample embedded in the disk image zk-call-messenger-installer-3.9.2-lts.dmg, distributed via zkcall[.]net/download. Inside the DMG, users are presented with a Swift-based application that behaves like a standard installer for a messaging client, removing the need for obvious red flags such as Terminal commands or suspicious shell scripts.
At the time of analysis, the application carried a valid code-signing certificate and successfully passed Apple Gatekeeper checks. Jamf confirmed that the Mach-O binary was both signed and notarized by Apple, with the signature tied to Developer Team ID GNJLS3UYZ4. Following disclosure, this certificate was revoked, yet the incident clearly illustrates how attackers increasingly exploit Apple’s developer infrastructure to distribute malware.
Evading detection: how the new MacSync variant operates on macOS
The infection begins with a dropper that contains an encoded payload. Once decoded, analysts observed characteristic functions and artifacts associated with the MacSync family. The stealer is implemented as a native Mach-O binary, which allows tight integration with macOS, reduces reliance on external scripts, and limits traditional signature-based detection opportunities.
To evade security tools, the new MacSync version leverages multiple techniques. The DMG size is artificially inflated to roughly 25.5 MB by bundling decoy PDF documents, complicating static analysis and concealing the real malicious content. During execution, the malware removes intermediate helper scripts used in its launch chain, making forensic reconstruction of the attack flow significantly harder.
In addition, MacSync checks for an active internet connection before activating its main functionality. This behavior helps the stealer avoid execution in isolated analysis environments, such as automated sandboxes without network access, which many security vendors use to detect new threats.
MacSync in the growing ecosystem of macOS stealers
The MacSync family was first documented in April 2025 under the name Mac.C and attributed to a developer operating under the alias Mentalpositive. By July, it had become a recognized commodity on underground markets, positioned alongside other macOS stealers such as AMOS and Odyssey.
This trend aligns with broader industry observations: as macOS adoption grows in enterprise environments, attackers increasingly focus on Apple platforms. Security reports from multiple vendors have highlighted year‑over‑year growth in macOS-targeted malware, particularly infostealers and adware, reflecting the high resale value of corporate credentials and crypto assets on illicit marketplaces.
What data the MacSync stealer targets on macOS
Research by MacPaw Moonlock on the Mac.C variant shows that MacSync is designed to exfiltrate a wide range of sensitive information from compromised systems. The stealer specifically targets:
• iCloud Keychain credentials and other items stored in the macOS keychain.
• Saved passwords, cookies, and autofill data from popular web browsers.
• System metadata, including device details, macOS version, installed applications, and user environment information.
• Data from cryptocurrency wallets and related desktop applications.
• Selected files from the local file system, potentially including documents and exports of password vaults.
Combining these data points enables a wide spectrum of secondary attacks, from full account takeover and financial fraud to targeted phishing and long‑term espionage against individuals and organizations.
Why Apple code signing and notarization are no longer sufficient
The use of a signed and notarized application to distribute MacSync underlines an important shift: Apple’s trust mechanisms, including developer certificates and notarization, are increasingly being abused. Many users and some corporate policies still implicitly trust the notion that “if it passes Gatekeeper, it is safe”. In practice, developer certificates may be stolen, bought on underground forums, or registered using fraudulent identities.
Once attackers obtain such certificates, they can distribute malware that appears indistinguishable from legitimate software at the operating system level. Revocation is reactive and often occurs only after successful campaigns and user compromise, leaving a significant exposure window.
Practical recommendations to protect macOS from stealers
First, Gatekeeper checks and a valid digital signature should be treated as one security signal, not a guarantee. Organizations should keep macOS and built‑in security controls updated, but also deploy reputable EDR and anti‑malware solutions capable of behavior‑based detection, especially for infostealers.
Second, users should download software primarily from the Mac App Store or well‑established official vendor websites. Verifying domain names, watching for typosquatting, and checking file hashes against vendor‑published values are effective ways to avoid trojanized installers such as the fake zk-call messenger package.
Third, follow the principle of least privilege on macOS. Avoid granting unnecessary access to the file system, password managers, or crypto wallets. Pay close attention to prompts requesting access to Keychain, accessibility features, screen recording, or full disk access, and deny them for applications that do not clearly require such permissions.
For organizations, structured security awareness training, application control policies, and continuous monitoring of endpoint activity are essential. As MacSync demonstrates, relying solely on Apple’s brand and notarization processes is no longer adequate. A layered defense strategy—combining technical controls, cautious user behavior, and ongoing threat intelligence—is critical to reducing the risk of password theft, iCloud Keychain compromise, and loss of financial assets on macOS.
