From ClickFix to Code Signed: The Quiet Shift of Macsync Stealer Malware
Summary:
Jamf Threat Labs identified a new MacSync Stealer variant targeting macOS that is delivered through a digitally signed and notarized Swift application, marking an evolution in how the malware is distributed. Unlike previous campaigns that relied on drag-to-Terminal or ClickFix-style user interaction, the malware is now packaged inside a disk image called zk-call-messenger-installer-3.9.2-lts[.]dmg and distributed via a legitimate-looking website, removing the need for any direct terminal use. Upon inspection, researchers confirmed that the application’s Mach-O binary is a universal build that carries a valid Apple developer signature (Developer Team ID GNJLS3UYZ4) and is capable of bypassing macOS Gatekeeper checks. Once installed, the signed application acts as a dropper, retrieving and decoding an embedded payload, which in this case is the MacSync stealer.
Security Officer Comments:
While the updated distribution method allows MacSync stealer to blend in as a trusted macOS application, it’s also important to look at the malware’s post-exploitation behavior. According to researchers, the stealer’s execution logic has become quieter and more controlled. Before fully executing, the malware will verify internet connectivity and enforce execution limits to prevent repeated or abnormal behavior that could be flagged by security tools. It also deletes temporary files and scripts during the infection process to reduce visible indicators of compromise. By automating the cleanup of its own footprint and restricting its activity to specific intervals, the malware successfully minimizes its forensic profile.
Suggested Corrections:
To prevent potential MacSync infections, organizations should train their staff to refrain from installing software from untrusted sources, keep systems and security software up to date, and enforce strict application whitelisting.
IOCs are provided in Jamf’s blog post that can be used for detection
Link(s):
https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/
Jamf Threat Labs identified a new MacSync Stealer variant targeting macOS that is delivered through a digitally signed and notarized Swift application, marking an evolution in how the malware is distributed. Unlike previous campaigns that relied on drag-to-Terminal or ClickFix-style user interaction, the malware is now packaged inside a disk image called zk-call-messenger-installer-3.9.2-lts[.]dmg and distributed via a legitimate-looking website, removing the need for any direct terminal use. Upon inspection, researchers confirmed that the application’s Mach-O binary is a universal build that carries a valid Apple developer signature (Developer Team ID GNJLS3UYZ4) and is capable of bypassing macOS Gatekeeper checks. Once installed, the signed application acts as a dropper, retrieving and decoding an embedded payload, which in this case is the MacSync stealer.
Security Officer Comments:
While the updated distribution method allows MacSync stealer to blend in as a trusted macOS application, it’s also important to look at the malware’s post-exploitation behavior. According to researchers, the stealer’s execution logic has become quieter and more controlled. Before fully executing, the malware will verify internet connectivity and enforce execution limits to prevent repeated or abnormal behavior that could be flagged by security tools. It also deletes temporary files and scripts during the infection process to reduce visible indicators of compromise. By automating the cleanup of its own footprint and restricting its activity to specific intervals, the malware successfully minimizes its forensic profile.
Suggested Corrections:
To prevent potential MacSync infections, organizations should train their staff to refrain from installing software from untrusted sources, keep systems and security software up to date, and enforce strict application whitelisting.
IOCs are provided in Jamf’s blog post that can be used for detection
Link(s):
https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/