A sophisticated new variant of the MacSync macOS information stealer has been uncovered that bypasses Apple’s built-in security protections by exploiting legitimate code-signing and notarization processes. According to researchers at Jamf Threat Labs, this updated malware dropper is delivered in a digitally signed, notarized Swift application that looks like a harmless installer — enabling it to evade macOS Gatekeeper and silently deploy malicious payloads on victim systems. MacSync is part of a growing trend in macOS malware, where attackers increasingly leverage Apple’s trust mechanisms — such as valid Developer ID signatures and notarization — to make malicious software appear legitimate and bypass security checks. The latest variant represents a significant escalation in stealth, evasion, and distribution sophistication compared to earlier iterations. What Is the New MacSync Stealer Variant? The new MacSync stealer variant is notable for how it circumvents multiple layers of macOS defense without requiring traditional social-engineering tricks like dragging files into Terminal or persuading users to run unfamiliar commands. Instead, the malware is packaged as a Swift-based installer, cryptographically code-signed and notarized by Apple, allowing it to launch without triggering Gatekeeper warnings — the system that normally blocks untrusted software. Specifically, the malicious disk image (DMG) file is named zk-call-messenger-installer-3.9.2-lts.dmg and is hosted on a site such as zkcall[.]net/download. Within the DMG, users are presented with an application that appears to be a legitimate messaging client installer. Because the binary is signed and notarized, macOS treats it as approved software and allows it to run with minimal prompts. Once executed, the dropper performs a series of background checks — including internet connectivity and execution timing — before downloading and executing an encoded malicious script from remote infrastructure. This script subsequently installs the MacSync stealer payload, enabling it to harvest sensitive data and potentially provide remote command and control capabilities. How the MacSync Stealer Bypasses Gatekeeper Gatekeeper is a core macOS security feature that checks whether applications are code-signed with a trusted Developer ID and notarized by Apple before allowing them to run. Historically, malware targeting Macs had to rely on tricking users into bypassing Gatekeeper by manually approving untrusted software or entering commands in Terminal. However, by packaging the malicious dropper inside a legitimate Apple-notarized application, attackers have found a way to abuse this trust model: Code Signing and Notarization: The installer carries a valid Developer Team ID (in this case, GNJLS3UYZ4), making it appear bona fide to Gatekeeper. Dynamic Payload Retrieval: The initial signed app does not contain overt malware. Instead, it fetches the actual malicious code at runtime, a tactic that may evade static analysis during the notarization process. No Terminal Actions Needed: Unlike older methods that required users to drop files or enter commands, this version allows victims to simply double-click the installer, dramatically increasing the likelihood of infection. By abusing Apple’s trust infrastructure, the malware reduces the friction for successful compromise and sidesteps key macOS protections that normally block unsigned or untrusted software. MacSync’s Infection Chain and Evasion Techniques The MacSync dropper does more than just arrive on the system disguised as legitimate software. It adopts several evasion techniques to hide its true nature and complicate detection: Inflated Disk Image The malicious DMG is unusually large — around 25.5 MB — because it embeds decoy PDF files that serve no functional purpose. This technique may reduce suspicion and complicate quick inspection or automated analysis. Runtime Checks Before proceeding with execution, the dropper checks that the environment has internet connectivity and waits a configurable period (e.g., roughly 3600 seconds) before pulling the real payload. These delays and conditions can help avoid detection in sandboxed environments. Gatekeeper Evasion By using a notarized and signed Swift app, the malware evades Gatekeeper and Apple XProtect checks that would typically raise alarms for unsigned binaries. Obscured Script Removal After execution, the dropper removes intermediate helper scripts used in the launch process, making forensic reconstruction more difficult after the fact. Once fully installed, MacSync behaves as an information stealer, designed to extract sensitive credentials, system details, browser data, cryptocurrency wallets, and other valuable artifacts from the victim’s Mac. The stealer has roots in earlier macOS threats like Mac.c and has been evolving since mid-2025. Evolution of MacSync and the Broader Malware Trend MacSync is not an isolated case — it reflects a broader trend in macOS malware, where attackers increasingly craft threats that leverage legitimate trust infrastructures to bypass protections. Historically, MacThreat involved social engineering and user action to bypass security warnings. Now, as seen with MacSync’s signed and notarized installer, malware authors are creating more authentic-looking packages that glide through built-in defenses without triggering basic security mechanisms. This trend is part of a macOS malware arms race, where attackers seek to outpace static defenses with dynamic, evasive, and legitimate-looking installers. Analysts note that the MacSync tactic may be reused in other campaigns and has been mirrored in threats like Odyssey and other infostealers that similarly use signed binaries to enhance stealth and deliver payloads. Apple’s security ecosystem is designed around the assumption that notarization and code signing equate to benign intent. But as seen, attackers can either legitimately obtain certificates through compromised accounts or purchase them through underground markets, giving malicious applications the veneer of trust while harboring lethal payloads. Apple’s Response and Certificate Revocation Shortly after researchers reported the malicious Developer ID to Apple, the code-signing certificate used by this MacSync dropper was revoked. This means that new copies of the specific signed binary will no longer be allowed to launch without triggering security warnings. However, this reactive response highlights an important limitation: revoking certificates after discovery is necessary but not sufficient to stop the underlying threat. Attackers can quickly obtain new certificates or adjust their distribution strategy, leading to recurring risks. What This Means for macOS Security Gatekeeper Isn’t Invulnerable Gatekeeper and Apple’s notarization checks remain crucial defenses, but this incident exposes a critical reality: valid signatures alone do not guarantee safety. If notarized applications fetch malicious code at runtime, static analysis during the notarization process may miss dangerous behavior entirely. Dynamic Threat Detection Is Essential For defenders, this evolution underscores the need for behavioral and runtime threat detection that goes beyond signature verification. Antivirus solutions must focus on suspicious actions — such as unauthorized script downloads, unauthorized network connections, and system changes — rather than simply trusting signed binaries. Exercise Download Caution Users should be extremely cautious when installing applications outside the Mac App Store or from unverified third-party sites. Even if Gatekeeper allows an application to run, that does not guarantee it is safe. Best Practices to Reduce Risk To minimize the threat posed by MacSync and similar malware, users and organizations should adopt layered security practices: Download Software Only from Trusted Sources Prefer apps from the Mac App Store or from vendor sites with a strong reputation and verifiable SSL certificates. Avoid downloading installers from unfamiliar domains or links shared in untrusted forums or emails. Strengthen Endpoint Security Deploy endpoint protection platforms with behavioral analytics that can detect post-execution malicious activity even in signed binaries. Keep macOS Updated Ensure your devices run the latest version of macOS, as Apple regularly updates Gatekeeper and XProtect with improved detection and blocklists. Educate Users Train users to scrutinize any installer that is requested outside of expected workflows and to be skeptical of unexpected software updates or downloads — even when they appear legitimate at first glance. Final Thoughts: A New Era of macOS Malware The MacSync macOS stealer’s new variant represents a significant leap in how attackers approach macOS malware deployment. By abusing Apple’s own trust mechanisms, executing stealthy payloads, and evading common defenses, this threat highlights the evolving software security landscape on the platform. For individual users and enterprise defenders alike, the lesson is clear: no security control is foolproof, and trust must be continually reassessed. Vigilance, layered defenses, and proactive threat hunting remain essential in a world where malicious actors increasingly mimic legitimate software to slip past even well-established protections. Post navigation Critical MongoDB Vulnerability “MongoBleed” Exposes Unauthenticated Memory Leak — Patch Immediately Nomani Investment Scam Surges 62% in 2025 Using AI-Powered Deepfake Ads on Social Media
