MacSync Stealer is a macOS infostealer malware that has recently evolved from simpler infection methods involving drag-to-terminal and ClickFix techniques to a more advanced approach using a code-signed and notarized Swift application. This new variant is distributed as a disk image (.dmg) containing a signed installer with Developer Team ID GNJLS3UYZ4, which helps it bypass macOS Gatekeeper and other security mechanisms. The installer includes decoy files to inflate its size and evade detection heuristics. Upon execution, the malware performs environmental checks such as verifying internet connectivity and timing conditions to avoid sandbox or automated analysis environments. It then downloads an encoded script from a remote command and control (C2) server, which is executed through a Swift-built helper executable. This second-stage payload likely contains the core infostealer functionality, designed to harvest sensitive user data. The use of notarization and legitimate code-signing certificates reflects a broader trend among macOS malware authors to exploit Apple's security trust model to evade detection. The malware also employs various techniques mapped to MITRE ATT&CK tactics and techniques, including execution through signed binaries (T1204.002), credential access (T1553.002), discovery (T1082), defense evasion (T1140, T1036, T1055), persistence (T1547.001), command and control (T1571), and obfuscation (T1027). While no active widespread exploitation has been reported, the sophistication and stealth capabilities make it a credible threat to macOS users.

For European organizations, the MacSync Stealer poses a significant risk primarily to confidentiality due to its infostealer capabilities. Organizations relying on macOS endpoints, especially in sectors such as finance, technology, government, and research, could face data exfiltration, intellectual property theft, and exposure of sensitive credentials. The malware’s ability to bypass Gatekeeper and notarization checks increases the likelihood of successful infection, particularly if users are tricked into mounting disk images from untrusted sources. The stealthy nature of the malware, including environmental checks and decoy files, complicates detection and incident response efforts. Although availability and integrity impacts appear limited, the loss of sensitive information could lead to reputational damage, regulatory penalties under GDPR, and potential follow-on attacks. The lack of known exploits in the wild currently reduces immediate risk but does not preclude targeted campaigns or future widespread abuse. Organizations with remote or hybrid workforces using macOS devices are especially vulnerable if endpoint security controls are insufficient.

European organizations should implement a multi-layered defense strategy tailored to macOS environments. Specific recommendations include: 1) Enforce strict application whitelisting policies that only allow execution of software from trusted developers and verified sources, including scrutinizing notarized applications; 2) Deploy endpoint detection and response (EDR) solutions capable of monitoring process behaviors, network connections, and script executions to detect suspicious activity such as encoded script retrieval and execution; 3) Educate users about the risks of mounting disk images from unknown or untrusted sources and the dangers of social engineering that may prompt installation; 4) Regularly audit and revoke any compromised or suspicious Apple Developer certificates within the organization; 5) Monitor network traffic for unusual outbound connections to known or suspected C2 servers associated with MacSync Stealer; 6) Implement strict network segmentation and least privilege principles to limit lateral movement and data access if infection occurs; 7) Keep macOS systems and security tools up to date with the latest patches and threat intelligence; 8) Utilize macOS built-in security features such as System Integrity Protection (SIP) and enable full disk encryption to protect data at rest; 9) Conduct threat hunting exercises focused on indicators of compromise related to MacSync Stealer behaviors; 10) Collaborate with industry information sharing groups to stay informed about emerging macOS threats and mitigation techniques.