MacSync Stealer signed Swift dropper and in-memory payload analysis
Technical Analysis
Summary
Hide ▲
Show ▼
Jamf Threat Labs identified a reworked MacSync Stealer sample on macOS that uses a code-signed, notarized Swift application disguised as a messaging app installer to reduce user friction and help it slip past Gatekeeper checks. The dropper is distributed in zk-call-messenger-installer-3.9.2-lts.dmg from zkcall[.]net/download, then performs checks before downloading and executing an encoded script through a helper component. The campaign also uses curl flag changes, dynamic variables, and an unusually large 25.5 MB DMG to improve reliability and evade detection, and Apple revoked the code signing certificate after discovery.
Related Happenings
MacOS XPC cached signature trust privilege escalation privilege-escalation flaw
Vulnerability
H score23
First: 25.06.2026 14:00
Last: 25.06.2026 14:00
Sources 1
About this happening:
**macOS XPC trusted software verification** lets a **non-root user** abuse cached signature trust to call privileged helper functions without authentication, opening a route to **...
MacOS XPC cached signature trust privilege escalation privilege-escalation flaw
VulnerabilityAbout this happening: **macOS XPC trusted software verification** lets a **non-root user** abuse cached signature trust to call privileged helper functions without authentication, opening a route to **...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical Analysis
H score23
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
About this happening:
**macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical AnalysisAbout this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
SHub Reaper macOS infostealer variant
Malware Activity
H score23
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
MiningDropper (BeatBanker) modular Android payload framework with encrypted staging
Technical Analysis
H score22
First: 24.04.2026 14:48
Last: 24.04.2026 14:48
Sources 1
About this happening:
**MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...
MiningDropper (BeatBanker) modular Android payload framework with encrypted staging
Technical AnalysisAbout this happening: **MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...
Atomic Stealer (AMOS) macOS ClickFix Script Editor activity
Malware Activity
H score30
First: 09.04.2026 14:20
Last: 09.04.2026 14:20
Sources 1
About this happening:
A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...
Atomic Stealer (AMOS) macOS ClickFix Script Editor activity
Malware ActivityAbout this happening: A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...
Timeline
-
23.12.2025 18:45 3 articles · 6mo ago
Jamf uncovers signed MacSync Stealer Swift dropper
Initial DisclosureJamf Threat Labs uncovered a reworked MacSync Stealer macOS malware sample during routine threat monitoring while reviewing alerts triggered by internal YARA rules. The sample is a code-signed and notarized Swift application packaged inside a disk image posing as a messaging app installer, and it silently retrieves an encoded script from a remote server through a helper component before execution. Jamf later reported the associated developer certificate to Apple, and Apple revoked it.
Show sources
- Reworked MacSync Stealer Adopts Quieter Installation Process — www.infosecurity-magazine.com — 23.12.2025 18:45
- Reworked MacSync Stealer Adopts Quieter Installation Process — www.infosecurity-magazine.com — 23.12.2025 18:45
- New MacSync macOS Stealer Uses Signed App to Bypass Apple Gatekeeper — thehackernews.com — 24.12.2025 18:23