MacSync Stealer is a macOS infostealer malware that has recently evolved from earlier variants relying on drag-to-terminal and ClickFix techniques to a more advanced delivery and execution method. The new variant is distributed as a code-signed and notarized Swift application packaged within a disk image (.dmg), which removes the need for direct terminal interaction by the user, thereby improving stealth and ease of infection. The installer is signed with Developer Team ID GNJLS3UYZ4, lending it legitimacy in the eyes of macOS Gatekeeper and notarization checks. To evade detection, the malware includes decoy files that inflate the installer size and performs environmental checks such as verifying internet connectivity and timing of execution before proceeding. Upon execution, it downloads an encoded script from a remote server and runs it via a Swift-built helper executable, which acts as a dropper for the second-stage payload. The malware employs multiple MITRE ATT&CK techniques including code signing evasion (T1553.002), execution via scripting (T1059.004), persistence mechanisms (T1547.001), and credential access (T1555). The use of notarization and code signing represents a strategic shift to bypass macOS security controls that traditionally block unsigned or unnotarized binaries. Indicators of compromise include specific file hashes and domains such as zkcall.net, focusgroovy.com, and gatemaden.space. While no active exploits have been reported, the sophistication and stealth capabilities of this malware make it a significant threat to macOS users, especially in environments where macOS is prevalent.

For European organizations, the MacSync Stealer poses a medium-level risk primarily to those with macOS endpoints, including enterprises, government agencies, and educational institutions. The malware’s ability to bypass Gatekeeper and notarization checks increases the likelihood of successful infection, potentially leading to theft of sensitive information such as credentials, personal data, and intellectual property. This could result in data breaches, unauthorized access to corporate networks, and subsequent lateral movement or espionage activities. Organizations relying on macOS devices for critical operations may face operational disruptions if the malware deploys additional payloads or persistence mechanisms. The presence of decoy files and sophisticated evasion techniques complicates detection and response efforts, increasing dwell time and potential damage. Given the increasing adoption of macOS in European corporate environments, especially in countries with strong technology sectors, the threat could have widespread implications if left unmitigated.

1. Implement strict application whitelisting policies that only allow execution of software from trusted developers and verified sources, beyond just relying on notarization. 2. Employ endpoint detection and response (EDR) solutions with macOS support capable of behavioral analysis to detect anomalous script execution and network communications. 3. Monitor network traffic for connections to known malicious domains such as zkcall.net, focusgroovy.com, and gatemaden.space, and block these at the firewall or DNS level. 4. Educate users about the risks of opening disk images from untrusted sources, emphasizing caution even when installers appear signed and notarized. 5. Regularly audit installed developer certificates and revoke trust for suspicious or unknown Developer Team IDs like GNJLS3UYZ4. 6. Use macOS system integrity protection (SIP) and enable full disk encryption to limit malware persistence and data exfiltration. 7. Conduct threat hunting exercises focusing on indicators such as the provided file hashes and unusual helper executable activity. 8. Keep macOS systems and security tools updated to leverage the latest protections against evolving malware techniques. 9. Implement multi-factor authentication to reduce the impact of credential theft. 10. Establish incident response plans tailored to macOS infections to enable rapid containment and remediation.