MacSync Malware Evolves: New Variant Slips Past macOS Defenses, Jamf & SlowMist Sound Alarm
Apple's walled garden just got a new gatecrasher. Security researchers at Jamf and SlowMist have flagged a fresh iteration of the MacSync malware—and this one's learned some new tricks to evade detection.
The Stealth Upgrade
Forget the old playbook. This variant doesn't just knock on the door; it's found a way to pick the lock on macOS's core security protocols. The exact method remains under wraps, but the implications are clear: a significant escalation in the cat-and-mouse game between Apple's engineers and malware developers.
Why This One's Different
It's all about the bypass. Where previous threats were often stopped at the gate by Gatekeeper or Notarization, this MacSync variant reportedly slips through. It's a reminder that no platform, no matter how polished its reputation, is truly immune. The security firms are urging immediate vigilance for any unusual system behavior or performance dips.
The Bigger Picture
This isn't just a tech headache—it's a potential backdoor for everything from data theft to cryptojacking. In a world where digital assets live on our devices, a compromised Mac is more than an inconvenience; it's a direct threat to financial sovereignty. (Consider it a stark reminder that in crypto, your keys are only as safe as the machine they're on—no FDIC insurance here.)
The bottom line? The arms race for your desktop is heating up. Update your software, question those downloads, and maybe don't bet the farm that any system is 100% secure.
Slowmist claims user info already stolen
In an X post, Slowmist’s Chief Information Security Officer, 23pds claimed that there is a new variant of the MacSync that bypasses the macOS gatekeeper security system, and it has already hijacked the information of many users.
According to 23pds, to evade detection, the variant employs techniques like file inflation, network connection verification and self-destruct scripts after execution. It can reportedly steal sensitive data like iCloud keychains, browser passwords, and crypto wallets.
The warning came attached to a blog from Jamf Threat Labs, reporting that this is not its first contact with MacSync.
The macOS-targeted information stealer malware reportedly first emerged in April 2025 as “Mac.C”, developed by a threat actor known as “Mentalpositive”. It was rebranded to MacSync shortly after, which it quickly gained traction among cybercriminals.
To protect yourself from it, only download apps from the Mac App Store or trusted developer websites, keep your macOS and apps updated, use reputable antivirus/endpoint security tools that detect macOS threats, and be cautious with unexpected .dmg files or installers, especially those promising crypto-related or messaging tools.
Is there a new MacSync malware?
The sample in question reportedly looked highly similar to past variants of the increasingly active MacSync Stealer malware but was revamped in its design. It differed from earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix-style techniques, as it employs a more deceptive, hands-off approach.
The sample is reportedly delivered as a code-signed and notarized Swift application within a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, distributed via https://zkcall.net/download.
That removes the need for any direct terminal interaction. Instead, the dropper retrieves an encoded script from a remote server and executes it via a Swift-built helper executable
Jamf Threat Labs also observed the Odyssey infostealer adopting similar distribution methods in recent variants. They expressed surprise that the familiar right-click open instruction is still present in the new sample, even though the executable is signed and does not require this step.
“After inspecting the Mach-O binary, which is a universal build, we confirmed that it is both code-signed and notarized. The signature is associated with the Developer Team ID GNJLS3UYZ4,” they claimed.
They made sure to verify the code directory hashes against Apple’s revocation list, and at the time of analysis, said none had been revoked.
Another notable observation made is the unusually large size of the disk image (25.5MB), which they said appears to be inflated by decoy files embedded within the app bundle.
At the time of analysis, some of the samples uploaded to VirusTotal were detected by only one antivirus engine, while others were flagged by up to thirteen. After confirming that the Developer Team ID was used to distribute malicious payloads, Jamf Threat Labs reported it to Apple. Since then, the associated certificate has been revoked.
The smartest crypto minds already read our newsletter. Want in? Join them.
