MacSync on macOS: signed apps, real malware

Instead of relying on “drag this into Terminal” or ClickFix-style copy/paste commands, operators packaged a code-signed, notarized Swift app inside a fake installer DMG, so the user only has to run what looks like a normal macOS installer.

MacSync is an information-stealer family that emerged in 2025 as a rebrand of “Mac.c,” and later variants were reported as adding backdoor capability via a Go-based agent. 

What actually changed

Old playbook

Trick a user into running a script via Terminal (drag-to-terminal, ClickFix paste commands).

Security teams often spot this because it looks abnormal and generates obvious user steps. 

New playbook

Deliver a signed + notarized Swift “installer” inside a DMG that impersonates a legitimate app installer.

The Swift dropper then pulls an encoded script from a remote server and executes it using a helper executable.

Result: fewer red flags to the user, fewer early blocks from macOS protections that lean on trust signals like notarization. 

The sample was identified as signed/notarized under Developer Team ID GNJLS3UYZ4 (later reported and revoked). 

Why this matters to businesses (InfoSight perspective)
1) “Signed” is not the same as “safe”

macOS users are trained to trust prompts that imply Apple verification. Attackers are exploiting that conditioning by getting malware delivery apps signed/notarized long enough to run at scale before revocation. 

2) Stealers turn one install into many breaches

Info-stealers target:

browser credentials and session tokens

saved passwords and cookies

crypto wallets, corporate logins, SaaS sessions
That becomes downstream account takeover, MFA fatigue attacks, business email compromise, and lateral movement.

3) “Mac fleets are safer” is operationally false

Modern macOS threats are following the same path Windows malware took years ago: smoother UX for the victim, quieter execution chains for defenders, and rapid iteration when techniques work. This as a broader trend toward signed/notarized delivery. 

What the infection chain looks like (easy mental model)

User downloads a DMG that looks like a legitimate installer (example observed: a “zk-Call messenger” themed DMG). 

The app is signed/notarized, so it appears “normal” to macOS controls. 

The app runs and reaches out to fetch an encoded script. 

The script executes and installs the actual stealer payload and supporting components.

What to do now (controls that hold up against this technique)
Endpoint policy (highest leverage)

Enforce application allowlisting for corporate Macs (approved publishers/apps), not “anything notarized.”

Use MDM to restrict installs to managed software catalog and block unknown DMGs.

Remove local admin where possible; require elevation workflows for installs.

Detection and response

Alert on “installer-like” apps that immediately perform script download + execution behaviors.

Monitor for unusual child processes spawned by Swift apps and helper executables.

Tighten outbound controls: DNS filtering + web proxy policies for unmanaged install paths.

User exposure reduction

Standardize installs through IT-managed channels; treat “download a DMG and run it” as a policy violation for corporate assets.

Threat intel hygiene

How InfoSight would frame this for leadership

This is not a “Mac malware oddity.” This is a trust exploitation problem: attackers are borrowing legitimacy signals (signing/notarization) to reduce friction and increase installs. 

Source