MacSync Stealer signed Swift dropper and in-memory payload analysis
Technical Analysis
Summary
Hide ▲
Show ▼
Jamf Threat Labs identified a reworked MacSync Stealer sample on macOS that uses a code-signed, notarized Swift application disguised as a messaging app installer to reduce user friction and help it slip past Gatekeeper checks. The dropper is distributed in zk-call-messenger-installer-3.9.2-lts.dmg from zkcall[.]net/download, then performs checks before downloading and executing an encoded script through a helper component. The campaign also uses curl flag changes, dynamic variables, and an unusually large 25.5 MB DMG to improve reliability and evade detection, and Apple revoked the code signing certificate after discovery.
Related Happenings
SHub Reaper macOS infostealer variant
Malware Activity
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
MiningDropper (BeatBanker) modular Android payload framework with encrypted staging
Technical Analysis
First: 24.04.2026 14:48
Last: 24.04.2026 14:48
Sources 1
About this happening:
**MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...
MiningDropper (BeatBanker) modular Android payload framework with encrypted staging
Technical AnalysisAbout this happening: **MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...
Atomic Stealer (AMOS) macOS ClickFix Script Editor activity
Malware Activity
First: 09.04.2026 14:20
Last: 09.04.2026 14:20
Sources 1
About this happening:
A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...
Atomic Stealer (AMOS) macOS ClickFix Script Editor activity
Malware ActivityAbout this happening: A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...
Atomic Stealer macOS Script Editor ClickFix campaign
Campaign
First: 08.04.2026 21:55
Last: 08.04.2026 21:55
Sources 1
About this happening:
A **new Atomic Stealer (AMOS)** campaign is targeting **macOS users** through **fake Apple-themed cleanup sites**, creating a lower-friction path to malware installation and data...
Atomic Stealer macOS Script Editor ClickFix campaign
CampaignAbout this happening: A **new Atomic Stealer (AMOS)** campaign is targeting **macOS users** through **fake Apple-themed cleanup sites**, creating a lower-friction path to malware installation and data...
GhostLoader staged npm install payload activity
Malware Activity
First: 24.03.2026 14:00
Last: 24.03.2026 14:00
Sources 1
About this happening:
**GhostLoader** is now being delivered through **staged npm install scripts**, turning routine package installation into a route for **data theft** and **cryptocurrency wallet** t...
GhostLoader staged npm install payload activity
Malware ActivityAbout this happening: **GhostLoader** is now being delivered through **staged npm install scripts**, turning routine package installation into a route for **data theft** and **cryptocurrency wallet** t...
Timeline
-
23.12.2025 18:45 3 articles · 5mo ago
Jamf uncovers signed MacSync Stealer Swift dropper
Initial DisclosureJamf Threat Labs uncovered a reworked MacSync Stealer macOS malware sample during routine threat monitoring while reviewing alerts triggered by internal YARA rules. The sample is a code-signed and notarized Swift application packaged inside a disk image posing as a messaging app installer, and it silently retrieves an encoded script from a remote server through a helper component before execution. Jamf later reported the associated developer certificate to Apple, and Apple revoked it.
Show sources
- Reworked MacSync Stealer Adopts Quieter Installation Process — www.infosecurity-magazine.com — 23.12.2025 18:45
- Reworked MacSync Stealer Adopts Quieter Installation Process — www.infosecurity-magazine.com — 23.12.2025 18:45
- New MacSync macOS Stealer Uses Signed App to Bypass Apple Gatekeeper — thehackernews.com — 24.12.2025 18:23