The Trusted Thief: New Signed MacSync Malware Bypasses Apple’s Gatekeeper

The latest iteration of the macOS stealer known as MacSync has learned to infiltrate victims’ machines almost “like a legitimate application.” According to Jamf, it is now distributed as a signed Swift app packaged inside a DMG file—a marked departure from earlier versions, which relied on cruder tactics such as “drag into Terminal” tricks or ClickFix schemes. This time, users are spared any direct interaction with the command line.

As Jamf describes it, the installer resides within a disk image titled zk-call-messenger-installer-3.9.2-lts.dmg and is delivered via a download page on zkcall.net. At the time of analysis, the application carried a valid digital signature and successfully passed macOS Gatekeeper checks. Examination of the Mach-O binary (a universal build) confirmed that it was both signed and notarized, with the signature tied to Developer Team ID GNJLS3UYZ4.

That situation changed after Jamf alerted Apple directly about the certificate, which was subsequently revoked. Even so, the delivery mechanism itself reveals a deliberate effort by the malware’s authors to conform to macOS ecosystem requirements and to appear as legitimate as possible during the earliest stages of infection.

MacSync reaches the system in encoded form via a dropper. Once the payload is decoded, researchers identified telltale characteristics of this particular stealer. The campaign also employs multiple anti-analysis techniques: the DMG image is artificially inflated to 25.5 MB with decoy PDF files, scripts used during execution are wiped clean, and an active internet connection is checked before launch—an effective way to evade sandboxes and isolated environments.

The stealer first surfaced in April 2025 under the name Mac.C, attributed to a threat actor operating under the alias Mentalpositive. By July, it had gained traction and carved out a place among the relatively rare but lucrative macOS stealers, alongside AMOS and Odyssey. An earlier analysis by MacPaw Moonlock noted that Mac.C is capable of exfiltrating iCloud Keychain data, browser passwords, system metadata, cryptocurrency wallet information, and files from the local filesystem.

A revealing detail emerged from an interview Mentalpositive gave to researcher g0njxa: the author claimed that tightening macOS app notarization policies starting with version 10.14.5 had significantly shaped the malware’s development roadmap. Judging by the structure of the current campaign, this was no idle remark—the latest samples observed in the wild clearly strive to slip past macOS’s familiar trust barriers with calculated precision.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy