MacSync is an advanced macOS infostealer malware campaign primarily targeting cryptocurrency users. It is distributed through phishing lures masquerading as legitimate cloud storage installers, which trick victims into executing malicious Terminal commands. This script-driven malware operates in multiple stages, initially harvesting browser-stored credentials and sensitive files, then focusing on cryptocurrency wallet data. A distinctive feature of MacSync is its ability to trojanize popular Electron-based cryptocurrency hardware wallet applications such as Ledger Live and Trezor Suite. By injecting malicious code into these apps, MacSync enables long-term phishing and continuous data exfiltration without raising immediate suspicion. The malware infrastructure includes multiple rotating command-and-control (C2) domains and clone websites, demonstrating an ongoing and adaptive campaign. Indicators of compromise include numerous suspicious domains and file hashes associated with the malware. The infection vector relies on social engineering to convince users to run Terminal commands, bypassing traditional macOS security controls. The malware leverages various MITRE ATT&CK techniques such as script execution (T1059.002), credential dumping (T1555), and masquerading (T1036.005). Although no CVE or known exploits are associated, the campaign’s focus on cryptocurrency assets and hardware wallets makes it particularly dangerous for targeted users. The campaign’s stealthy nature and multi-stage infection process complicate detection and remediation.

For European organizations and users, MacSync poses a significant threat to the confidentiality and integrity of cryptocurrency assets and sensitive data on macOS devices. The trojanization of widely used hardware wallet applications like Ledger and Trezor could lead to prolonged undetected theft of private keys and credentials, resulting in direct financial losses. Organizations involved in cryptocurrency trading, fintech, or blockchain development are at heightened risk. The malware’s ability to harvest browser credentials and files may also expose corporate secrets and personal information, potentially leading to identity theft or further targeted attacks. The phishing delivery method exploits user trust and can bypass standard endpoint protections if users execute the malicious commands. Given the increasing adoption of cryptocurrency in Europe, especially in countries with active crypto communities, the threat could disrupt business operations and erode trust in digital asset management. The rotating C2 infrastructure indicates a persistent campaign that may evolve to evade detection, increasing the risk of widespread infections if not mitigated promptly.

European organizations should implement targeted defenses beyond generic advice: 1) Educate macOS users, especially those handling cryptocurrency, about the risks of executing unsolicited Terminal commands and phishing lures disguised as legitimate installers. 2) Deploy endpoint detection and response (EDR) solutions capable of monitoring script execution and detecting anomalous behavior related to Electron app tampering. 3) Implement application whitelisting and restrict execution of unsigned or untrusted scripts and binaries on macOS endpoints. 4) Monitor network traffic for connections to known malicious domains associated with MacSync’s C2 infrastructure and block them at the firewall or DNS level. 5) Regularly audit and verify the integrity of cryptocurrency wallet applications to detect trojanization or unauthorized modifications. 6) Encourage use of hardware wallets with strong firmware verification and multi-factor authentication where possible. 7) Maintain updated backups of critical data and ensure incident response plans include procedures for macOS-specific malware. 8) Collaborate with threat intelligence sharing groups to stay informed about evolving indicators of compromise related to MacSync.