New MacSync malware dropper evades macOS Gatekeeper checks

The latest variant of the MacSync information stealer targeting macOS systems is delivered through a digitally signed, notarized Swift application.

Security researchers at Apple device management platform Jamf say that the distribution method constitutes a significant evolution from past iterations that used less sophisticated “drag-to-Terminal” or ClickFix tactics.

“Delivered as a code-signed and notarized Swift application within a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, distributed via https://zkcall.net/download, it removes the need for any direct terminal interaction,” the researchers say in a report today.

At the time of the analysis, Jamf says that the latest MacSync variant had a valid signature and could bypass checks from Gatekeeper, the security system in macOS.

“After inspecting the Mach-O binary, which is a universal build, we confirmed that it is both code-signed and notarized. The signature is associated with the Developer Team ID GNJLS3UYZ4,” Jamf explains.

However, following a direct report of the certificate to Apple, it has now been revoked.

The malware is delivered on the system through a dropper in encoded form. After decoding the payload, researchers discovered the usual signs of the MacSync Stealer.

The researchers noted that the stealer features several evasion mechanisms, including inflating the DMG file to 25.5MB by embedding decoy PDFs, wiping the scripts used in the execution chain, and performing internet connectivity checks before execution to evade sandboxed environments.

The stealer emerged in April 2025 as Mac.C by a threat actor named ‘Mentalpositive’. It gained traction by July, joining the less crowded but still profitable space of macOS stealers alongside AMOS and Odyssey.

A previous analysis of Mac.C by MacPaw Moonlock indicates that it can steal iCloud keychain credentials, passwords stored on web browsers, system metadata, cryptocurrency wallet data, and files from the filesystem.

Interestingly, in an interview that Mentalpositive gave to researcher g0njxa in September, the malware author stated that the introduction of a tighter app notarization policy in macOS 10.14.5 and later had the strongest influence on their development plans, which is reflected in the latest versions caught in the wild.