MacSync Mac.C notarized Swift dropper for macOS
Malware Activity
Summary
Hide ▲
Show ▼
The MacSync information stealer now arrives on macOS as a code-signed, notarized Swift app, raising the odds of successful delivery and increasing credential-theft risk. The payload is packaged in a disk image and uses a dropper to evade Gatekeeper, while also checking for internet connectivity and wiping execution scripts. The family emerged in April 2025 as Mac.C and can steal iCloud keychain credentials, browser passwords, wallet data, and files.
Related Happenings
SHub Reaper macOS infostealer variant
Malware Activity
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
MiningDropper (BeatBanker) modular Android payload framework with encrypted staging
Technical Analysis
First: 24.04.2026 14:48
Last: 24.04.2026 14:48
Sources 1
About this happening:
**MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...
MiningDropper (BeatBanker) modular Android payload framework with encrypted staging
Technical AnalysisAbout this happening: **MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...
MacOS living-off-the-land analysis exposing native-feature abuse
Technical Analysis
First: 22.04.2026 19:30
Last: 22.04.2026 19:30
Sources 1
About this happening:
Native macOS features are now being repurposed for **code execution**, **lateral movement**, and **evasion**, widening detection gaps across enterprise Apple fleets. The analysis...
MacOS living-off-the-land analysis exposing native-feature abuse
Technical AnalysisAbout this happening: Native macOS features are now being repurposed for **code execution**, **lateral movement**, and **evasion**, widening detection gaps across enterprise Apple fleets. The analysis...
Atomic Stealer (AMOS) macOS ClickFix Script Editor activity
Malware Activity
First: 09.04.2026 14:20
Last: 09.04.2026 14:20
Sources 1
About this happening:
A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...
Atomic Stealer (AMOS) macOS ClickFix Script Editor activity
Malware ActivityAbout this happening: A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...
Atomic Stealer macOS Script Editor ClickFix campaign
Campaign
First: 08.04.2026 21:55
Last: 08.04.2026 21:55
Sources 1
About this happening:
A **new Atomic Stealer (AMOS)** campaign is targeting **macOS users** through **fake Apple-themed cleanup sites**, creating a lower-friction path to malware installation and data...
Atomic Stealer macOS Script Editor ClickFix campaign
CampaignAbout this happening: A **new Atomic Stealer (AMOS)** campaign is targeting **macOS users** through **fake Apple-themed cleanup sites**, creating a lower-friction path to malware installation and data...
Timeline
-
22.12.2025 22:43 2 articles · 5mo ago
MacSync Mac.C notarized Swift dropper for macOS
Initial DisclosureThe initial phase centered on a **signed DMG dropper** delivered from `https://zkcall.net/download`, packaged to avoid direct Terminal use. The decoded payload then exposed the usual **MacSync Stealer** behavior after basic environment checks.
Show sources
- New MacSync malware dropper evades macOS Gatekeeper checks — www.bleepingcomputer.com — 22.12.2025 22:43
- Reworked MacSync Stealer Adopts Quieter Installation Process — www.infosecurity-magazine.com — 23.12.2025 18:45