A new version of MacSync Stealer malware is targeting macOS users through digitally signed and notarized applications, marking a major shift in how this threat is delivered.
Unlike older versions that required users to paste commands into Terminal, this updated variant operates silently in the background.
The malware comes disguised as a legitimate installer, distributed through a fake website under the name zk-call-messenger-installer-3.9.2-lts.dmg.
Once installed, it downloads and runs a hidden script that steals sensitive information from the victim’s computer.
The malware is packaged as a Swift application and signed with Apple’s Developer Team ID GNJLS3UYZ4, which allows it to bypass initial security warnings that macOS usually shows for untrusted software.
.webp "New MacSync Stealer Malware Attacking macOS Users Using Digitally Signed Apps 2")
At the time researchers found it, Apple had not yet revoked the certificate, meaning the malware could install without triggering alerts. The disk image file is unusually large at 25.5MB because it contains fake PDF files related to LibreOffice to make it look more legitimate.
When uploaded to VirusTotal, some antivirus engines detected it as a generic downloader linked to coins or ooiid malware families.
Jamf analysts identified this malware while checking their detection systems for unusual activity. They noticed the malware did not follow the typical patterns seen in earlier MacSync campaigns, which usually relied on drag-to-terminal or ClickFix techniques.
.webp "New MacSync Stealer Malware Attacking macOS Users Using Digitally Signed Apps 4")
This new approach removes the need for user interaction with Terminal, making it much harder for victims to realize they are being attacked.
After confirming the threat, Jamf Threat Labs reported the malicious Developer Team ID to Apple, and the certificate has since been revoked.
Swift-Based Execution and Payload Delivery
The malware uses a Swift-built helper program called runtimectl that handles the entire infection process. When the program starts, it checks if the computer has an internet connection using the checkInternet() function.
.webp "New MacSync Stealer Malware Attacking macOS Users Using Digitally Signed Apps 5")
If connected, it proceeds to download the second-stage payload from hxxps://gatemaden[.]space/curl/985683bd660c0c47c6be513a2d1f0a554d52d241714bb17fb18ab0d0f8cc2dc6 using a curl command.
The script is saved to /tmp/runner and then checked to make sure it is a valid shell script by running /usr/bin/file –mime-type -b to confirm it matches text/x-shellscript.
.webp "New MacSync Stealer Malware Attacking macOS Users Using Digitally Signed Apps 6")
Before running the payload, the malware removes the com.apple.quarantine flag using removeQuarantine(at:) and sets file permissions to 750 to make it executable.
It also creates log files at ~/Library/Logs/UserSyncWorker.log and tracking files in ~/Library/Application Support/UserSyncWorker/ to record activity and prevent the malware from running too frequently.
A rate-limiting mechanism ensures the malware only executes once every 3600 seconds.
After the script runs, the /tmp/runner file is deleted to remove traces from the system, and the malware connects to focusgroovy[.]com to download additional payloads and communicate with its command-and-control server.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
