EXECUTIVE SUMMARY:
A new variant of the MacSync Stealer malware targeting macOS has evolved its delivery technique to evade built-in Apple security defenses. The threat actors behind this campaign are posing as an apparently authentic macOS application, leveraging digitally signed and notarized binaries to circumvent Gatekeeper and other native protections. This deceptive approach enables the malware to appear trustworthy to users and the operating system, significantly lowering barriers to execution and increasing the risk of compromise.
The malware is now encapsulated within a signed and notarized Swift application packaged inside a disk image that masquerades as an installer for a mainstream messaging platform. Because it carries a valid Apple Developer certificate and notarization approval, macOS treats the binary as trusted software and will allow it to execute without invoking prominent security prompts or requiring manual overrides. Upon launch, the dropper retrieves and executes an encoded payload from a remote server, often performing environmental checks such as internet connectivity validation to evade analysis environments. The inflated size of the disk image and decoy content are designed to mimic legitimate installers, further disguising malicious intent. Once resident, the stealer can install backdoors, harvest sensitive user data including keychain credentials, browser‑stored passwords, and cryptocurrency wallet information, and quietly exfiltrate findings to attacker‑controlled infrastructure. Apple has revoked the associated signing certificate after discovery, though such revocations are reactive and do not undo infections that occurred prior to revocation.
This macOS stealer exemplifies an increasing trend where threat actors weaponize legitimate code-signing and notarization processes to bypass platform defenses, making malware deployment more seamless and less conspicuous to users. The use of trusted installer appearances emphasizes the need for heightened vigilance when downloading software from outside official app marketplaces and underscores the importance of supplementary security controls that analyze runtime behavior rather than rely solely on initial trust signals. It is advised to scrutinize unsolicited downloads, verify sources, and employ robust endpoint protection to detect and mitigate such threats.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Execution | T1204.002 | User Execution | Malicious File |
| T1106 | Native API | — | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1553.002 | Subvert Trust Controls | Code Signing |
| T1036.005 | Masquerading | Match Legitimate Resource Name or Location | |
| T1620 | Reflective Code Loading | — | |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| T1555.001 | Keychain | ||
| T1552.001 | Unsecured Credentials | Credentials in Files | |
| Discovery | T1083 | File and Directory Discovery | — |
| Collection | T1005 | Data from Local System | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1105 | Ingress Tool Transfer | — | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Anti-Behavioral Analysis | B0001 | Debugger Detection |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Collection | E1056 | Input Capture |
| F0002 | Keylogging | |
| Command and Control | B0030 | C2 Communication |
| Defense Evasion | F0005 | Hidden Files and Directories |
| Discovery | E1083 | File and Directory Discovery |
| Execution | B0011 | Remote Commands |
| Exfiltration | E1020 | Automated Exfiltration |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
REFERENCES:
The following reports contain further technical details: