CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Malware & Threats

MacSync macOS Malware Distributed via Signed Swift Application

A recent MacSync Stealer version no longer requires users to directly interact with the terminal for execution. The post MacSync macOS Malware Distributed via Signed Swift Application appeared first on SecurityWeek.

macOS malware

The developers of a macOS malware named MacSync Stealer have updated their delivery mechanism, eliminating the need for direct terminal interaction, Jamf reports.

The MacSync Stealer emerged roughly half a year ago, as a rebrand of Mac.c, a macOS information stealer that was first seen in April 2025.

Mac.c was a cheap alternative to established macOS stealers, and was acquired by a malware developer who quickly expanded its capabilities and turned it into a prominent threat.

In addition to the information-stealing capabilities inherited from Mac.c, MacSync Stealer was retrofitted with backdoor capabilities through a fully-featured Go-based agent.

Similar to most macOS infostealers, it relied on social engineering techniques, such as ClickFix, to trick users into executing malicious scripts, leading to infection.

A recently observed sample, however, eliminates this step, taking a more direct, hands-off approach, Jamf says.

The stealer’s operators packed the malware’s dropper as a code-signed and notarized Swift application inside a disk image masquerading as a zk-Call messenger installer.

“The dropper retrieves an encoded script from a remote server and executes it via a Swift-built helper executable,” Jamf explains.

The same distribution technique, the cybersecurity firm notes, has been adopted by the Odyssey infostealer family as well.

Analysis of MacSync Stealer’s new infection chain revealed a layered, evasive dropper routine focused on stealth and persistence, which includes environmental checks, network requests, Gatekeeper evasion, and validation.

MacSync Stealer started appearing in detections in mid-2025, but infected hundreds of machines relatively fast.

“This shift in distribution reflects a broader trend across the macOS malware landscape, where attackers increasingly attempt to sneak their malware into executables that are signed and notarized, allowing them to look more like legitimate applications,” Jamf notes.

Related: ClickFix Attacks Against macOS Users Evolving

Related: Apple Updates iOS and macOS to Prevent Malicious Font Attacks

Related: New XCSSET macOS Malware Variant Hijacks Cryptocurrency Transactions

Related: Widespread Infostealer Campaign Targeting macOS Users

Latest News

CYBERNEWSMEDIAPublisher