Jamf analysis says operators of the MacSync Stealer updated the delivery chain to use a code-signed, notarized Swift application inside a disk image, eliminating the need for users to run commands in Terminal and enabling rapid infections since mid-2025.
KEY FACTS
- Malware MacSync Stealer is a rebrand of Mac.c first seen in April 2025
- Delivery dropper packed as a code-signed, notarized Swift app inside a disk image
- Behavior retrieves an encoded script and executes it via a Swift helper executable
- Capabilities information stealer plus a Go-based backdoor agent
- Impact detections began mid-2025 and hundreds of machines were infected quickly
The malware originated as Mac.c and was expanded and rebranded roughly six months ago. After acquisition by a new developer, features were added that increased its prominence in macOS theft campaigns.
The new installer technique hides the dropper in a disk image that mimics a zk-Call messenger installer. The dropper fetches an encoded script from a remote server and runs it through a Swift-built helper, bypassing the previous requirement for terminal execution.
The delivery routine is layered and evasive, with environmental checks, network requests, Gatekeeper evasion steps, validation routines, and persistence mechanisms. The report also notes the same signed executable distribution approach has been adopted by other infostealer families.
Functionally, the malware combines classic information-stealing behavior with backdoor functionality provided by a Go-based agent. That combination enables exfiltration of data and potential remote control of infected hosts.
Prior campaigns used social engineering techniques such as ClickFix to trick users into running scripts. The updated chain removes that interactive step and increases the chance that users will run a seemingly legitimate, signed installer.
WHY IT MATTERS
Signed and notarized binaries can look legitimate and may bypass user caution and automated checks. That trend raises the risk to macOS users and administrators because it lowers the bar for large scale compromise.