Find notable cyber news and cases, enriched with sources, timelines, and signals.

MacSync Stealer signed Swift dropper and in-memory payload analysis

Technical Analysis
First reported
Last updated
Happening score
H score 22
2 unique sources, 2 articles

Summary

Hide ▲

Jamf Threat Labs identified a reworked MacSync Stealer sample on macOS that uses a code-signed, notarized Swift application disguised as a messaging app installer to reduce user friction and help it slip past Gatekeeper checks. The dropper is distributed in zk-call-messenger-installer-3.9.2-lts.dmg from zkcall[.]net/download, then performs checks before downloading and executing an encoded script through a helper component. The campaign also uses curl flag changes, dynamic variables, and an unusually large 25.5 MB DMG to improve reliability and evade detection, and Apple revoked the code signing certificate after discovery.

Related Happenings

MacOS XPC cached signature trust privilege escalation privilege-escalation flaw

Vulnerability
H score23 First: 25.06.2026 14:00 Last: 25.06.2026 14:00 Sources 1

About this happening: **macOS XPC trusted software verification** lets a **non-root user** abuse cached signature trust to call privileged helper functions without authentication, opening a route to **...

MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage

Technical Analysis
H score23 First: 24.06.2026 17:00 Last: 24.06.2026 17:00 Sources 1

About this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...

SHub Reaper macOS infostealer variant

Malware Activity
H score23 First: 19.05.2026 00:42 Last: 19.05.2026 00:42 Sources 1

About this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...

MiningDropper (BeatBanker) modular Android payload framework with encrypted staging

Technical Analysis
H score22 First: 24.04.2026 14:48 Last: 24.04.2026 14:48 Sources 1

About this happening: **MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...

Atomic Stealer (AMOS) macOS ClickFix Script Editor activity

Malware Activity
H score30 First: 09.04.2026 14:20 Last: 09.04.2026 14:20 Sources 1

About this happening: A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...

Timeline

  1. 23.12.2025 18:45 3 articles · 6mo ago

    Jamf uncovers signed MacSync Stealer Swift dropper

    Initial Disclosure

    Jamf Threat Labs uncovered a reworked MacSync Stealer macOS malware sample during routine threat monitoring while reviewing alerts triggered by internal YARA rules. The sample is a code-signed and notarized Swift application packaged inside a disk image posing as a messaging app installer, and it silently retrieves an encoded script from a remote server through a helper component before execution. Jamf later reported the associated developer certificate to Apple, and Apple revoked it.

    Show sources