MacSync Stealer is a macOS infostealer operating as Malware-as-a-Service, distributed primarily through SEO poisoning and fake ClickFix CAPTCHA pages. The campaign has progressed through three main phases since November 2025: initially using fake download sites, then malicious ChatGPT conversations, and most recently employing sophisticated shell-based loaders with dynamic AppleScript payloads. Victims are redirected via Google-sponsored search results to fake CAPTCHA pages that deceive them into executing malicious terminal commands. The malware targets a broad range of sensitive information including browser credentials, cryptocurrency wallets, SSH keys, cloud provider credentials, and macOS Keychain data. A critical feature is the trojanization of Ledger hardware wallet applications to steal seed phrases. The February 2026 campaign saw over 18,000 clicks in three days, with Russian-language comments suggesting the operators are part of a Russian-speaking ecosystem. The malware uses API key-gated C2 infrastructure and in-memory execution to avoid detection and analysis.

The malware compromises macOS users by stealing a wide array of sensitive credentials and secrets, including browser passwords, cryptocurrency wallet data, SSH keys, cloud service credentials, and Keychain items. The trojanization of Ledger hardware wallet applications poses a critical risk to cryptocurrency asset security by capturing seed phrases. The campaign's use of SEO poisoning and fake CAPTCHA pages increases the likelihood of victim infection through social engineering. The malware's evasion techniques, such as API key-gated command and control and in-memory execution, complicate detection and response efforts. Although no known exploits in the wild are reported, the campaign has demonstrated significant reach and user interaction.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since this malware relies on social engineering via fake CAPTCHA pages and terminal command execution, users should be educated not to run untrusted terminal commands or follow suspicious links from search results. Endpoint protection solutions with macOS malware detection capabilities may help identify and block this threat. Monitoring for indicators of compromise such as the provided hashes and domains can assist in detection. There is no official fix or patch available at this time.