The developers of a macOS malware named MacSync Stealer have updated their delivery mechanism, eliminating the need for direct terminal interaction, Jamf reports.
The MacSync Stealer emerged roughly half a year ago, as a rebrand of Mac.c, a macOS information stealer that was first seen in April 2025.
Mac.c was a cheap alternative to established macOS stealers, and was acquired by a malware developer who quickly expanded its capabilities and turned it into a prominent threat.
In addition to the information-stealing capabilities inherited from Mac.c, MacSync Stealer was retrofitted with backdoor capabilities through a fully-featured Go-based agent.
Similar to most macOS infostealers, it relied on social engineering techniques, such as ClickFix, to trick users into executing malicious scripts, leading to infection.
A recently observed sample, however, eliminates this step, taking a more direct, hands-off approach, Jamf says.
The stealer’s operators packed the malware’s dropper as a code-signed and notarized Swift application inside a disk image masquerading as a zk-Call messenger installer.
“The dropper retrieves an encoded script from a remote server and executes it via a Swift-built helper executable,” Jamf explains.
The same distribution technique, the cybersecurity firm notes, has been adopted by the Odyssey infostealer family as well.
Analysis of MacSync Stealer’s new infection chain revealed a layered, evasive dropper routine focused on stealth and persistence, which includes environmental checks, network requests, Gatekeeper evasion, and validation.
MacSync Stealer started appearing in detections in mid-2025, but infected hundreds of machines relatively fast.
“This shift in distribution reflects a broader trend across the macOS malware landscape, where attackers increasingly attempt to sneak their malware into executables that are signed and notarized, allowing them to look more like legitimate applications,” Jamf notes.
Related: ClickFix Attacks Against macOS Users Evolving
Related: Apple Updates iOS and macOS to Prevent Malicious Font Attacks
Related: New XCSSET macOS Malware Variant Hijacks Cryptocurrency Transactions
Related: Widespread Infostealer Campaign Targeting macOS Users
