Cybersecurity researchers at Sekoia have recently discovered a new variant of the MacSync macOS information stealer. This variant, then called Mac.c, originally debuted back in April 2025. This newly rebranded malware used an arsenal of advanced evasion techniques to circumvent the security protections put in place by Apple, including the company’s Gatekeeper system. The malware is distributed via an iOS app disguised as a messaging app installer. Since this app is digitally signed and notarized it appears very legitimate.
This new MacSync variant is able to rapidly exfiltrate data. Its advanced Go-based agent enables remote command-and-control capabilities. The way it’s being distributed represents a major step forward in the strategy used by attackers going after macOS systems.
Delivery Mechanism and Evasion Techniques
The delivery of MacSync relies on a digitally signed DMG file. This file is blown up to a monstrous size of 25.5 MB. We get this inflation when unrelated PDF files are inserted. This leads to a deceptive appearance of legitimacy that is all too simple for users and security defenses to deceive.
As soon as you open the DMG file, the Swift-based dropper goes to work. It runs some quick checks before downloading and executing an encoded script. This script is executed in a wrapper component that further empowers its stealthiness. This newest technique of using Base64-encoded payloads protects attackers by masking the true payload of the malware.
“These changes, along with the use of dynamically populated variables, point to a deliberate shift in how the payload is fetched and validated, likely aimed at improving reliability or evading detection.” – Xhaflaire
Insight from Experts
Cybersecurity professionals offer their insights on the important change in tactics shown by the most recent MacSync variant. Thijs Xhaflaire notes that “unlike earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix-style techniques, this sample adopts a more deceptive, hands-off approach.” This evolution shows that attackers have become more sophisticated in their approach.
Jamf emphasizes that “this shift in distribution reflects a broader trend across the macOS malware landscape, where attackers increasingly attempt to sneak their malware into executables that are signed and notarized, allowing them to look more like legitimate applications.” This is a troubling trend that is becoming a larger challenge for both users and security systems.
Security Implications
Tinkering with MacSync’s execution will likely be blocked or flagged by protection mechanisms hardcoded on Mac OS such as Gatekeeper or XProtect. The reliance on signed and notarized applications complicates detection efforts. The developers of MacSync have engineered their malware to closely resemble legitimate software, making it imperative for users to remain vigilant.
As cyber threats operate with increasingly sophisticated vectors, it is important for users of macOS systems to take proactive security measures. With regular operating system updates, limited downloading behavior, and complete digital security, we can all lower the risks tied to this new type of malware.