MacSync Mac.C notarized Swift dropper for macOS
Malware Activity
Summary
Hide ▲
Show ▼
The MacSync information stealer now arrives on macOS as a code-signed, notarized Swift app, raising the odds of successful delivery and increasing credential-theft risk. The payload is packaged in a disk image and uses a dropper to evade Gatekeeper, while also checking for internet connectivity and wiping execution scripts. The family emerged in April 2025 as Mac.C and can steal iCloud keychain credentials, browser passwords, wallet data, and files.
Related Happenings
MacOS XPC cached signature trust privilege escalation privilege-escalation flaw
Vulnerability
H score23
First: 25.06.2026 14:00
Last: 25.06.2026 14:00
Sources 1
About this happening:
**macOS XPC trusted software verification** lets a **non-root user** abuse cached signature trust to call privileged helper functions without authentication, opening a route to **...
MacOS XPC cached signature trust privilege escalation privilege-escalation flaw
VulnerabilityAbout this happening: **macOS XPC trusted software verification** lets a **non-root user** abuse cached signature trust to call privileged helper functions without authentication, opening a route to **...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical Analysis
H score23
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
About this happening:
**macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical AnalysisAbout this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
SHub Reaper macOS infostealer variant
Malware Activity
H score23
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
MiningDropper (BeatBanker) modular Android payload framework with encrypted staging
Technical Analysis
H score22
First: 24.04.2026 14:48
Last: 24.04.2026 14:48
Sources 1
About this happening:
**MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...
MiningDropper (BeatBanker) modular Android payload framework with encrypted staging
Technical AnalysisAbout this happening: **MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...
MacOS living-off-the-land analysis exposing native-feature abuse
Technical Analysis
H score20
First: 22.04.2026 19:30
Last: 22.04.2026 19:30
Sources 1
About this happening:
Native macOS features are now being repurposed for **code execution**, **lateral movement**, and **evasion**, widening detection gaps across enterprise Apple fleets. The analysis...
MacOS living-off-the-land analysis exposing native-feature abuse
Technical AnalysisAbout this happening: Native macOS features are now being repurposed for **code execution**, **lateral movement**, and **evasion**, widening detection gaps across enterprise Apple fleets. The analysis...
Timeline
-
22.12.2025 22:43 2 articles · 6mo ago
MacSync Mac.C notarized Swift dropper for macOS
Initial DisclosureThe initial phase centered on a **signed DMG dropper** delivered from `https://zkcall.net/download`, packaged to avoid direct Terminal use. The decoded payload then exposed the usual **MacSync Stealer** behavior after basic environment checks.
Show sources
- New MacSync malware dropper evades macOS Gatekeeper checks — www.bleepingcomputer.com — 22.12.2025 22:43
- Reworked MacSync Stealer Adopts Quieter Installation Process — www.infosecurity-magazine.com — 23.12.2025 18:45