New MacSync macOS Stealer Utilizes Signed Certificates to Evade Detection

Cybersecurity researchers have identified a new variant of MacSync, a data-stealing program targeting macOS systems. This version is cleverly concealed within a Swift app masquerading as a messaging app installer, allowing it to bypass Apple's security checks. According to Jamf researcher Thijs Xhaflaire, this iteration of MacSync is particularly stealthy, requiring minimal user interaction for installation.

The malicious app is distributed as a signed and Apple-approved Swift application within a disk image file named "zk-call-messenger-installer-3.9.2-lts.dmg," available on "zkcall[.]net/download." Its signed status enables it to evade security features like Gatekeeper and XProtect. However, the installer instructs users to right-click and open the app, a tactic to circumvent these protections. Apple has since revoked the app's code signing certificate.

The app performs several checks before executing a hidden script, such as verifying internet connectivity, delaying execution for an hour, removing specific file markers, and validating the file. Xhaflaire notes that the command to retrieve the hidden script has been altered from previous versions, using split instructions and new options to enhance reliability and evade detection.

Additionally, the DMG file is artificially inflated to 25.5 MB by including unrelated PDF documents. Once decoded, the hidden script reveals MacSync, an evolved version of Mac.c first seen in April 2025. According to Moonlock Lab, MacSync is a comprehensive tool capable of more than just data theft; it can also be remotely controlled.

This discovery highlights a trend where attackers increasingly disguise malware within signed and approved applications, making them appear legitimate. Similar tactics have been used with fake Google Meet DMG files to distribute other macOS stealers like Odyssey, while unsigned disk images have been used to spread DigitStealer.

Stay secure — stay Wavasec. 🔐