Find notable cyber news and cases, enriched with sources, timelines, and signals.

MacSync macOS information stealer variant delivered via signed Swift app

Malware Activity
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

A new MacSync malware variant is being delivered through a digitally signed, notarized Swift app disguised as a messaging installer, raising the risk of Gatekeeper bypass on macOS systems. The dropper uses updated fetching and validation steps, and the payload now includes a Go-based agent with remote command-and-control capabilities. The sample was hosted as zk-call-messenger-installer-3.9.2-lts.dmg on zkcall[.]net/download, and Apple revoked the signing certificate after discovery.

Related Happenings

MacOS XPC cached signature trust privilege escalation privilege-escalation flaw

Vulnerability
H score23 First: 25.06.2026 14:00 Last: 25.06.2026 14:00 Sources 1

About this happening: **macOS XPC trusted software verification** lets a **non-root user** abuse cached signature trust to call privileged helper functions without authentication, opening a route to **...

MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage

Technical Analysis
H score23 First: 24.06.2026 17:00 Last: 24.06.2026 17:00 Sources 1

About this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...

SHub Reaper macOS infostealer variant

Malware Activity
H score23 First: 19.05.2026 00:42 Last: 19.05.2026 00:42 Sources 1

About this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...

FakeWallet Apple App Store wallet-stealing apps

Malware Activity
H score8 First: 21.04.2026 00:52 Last: 21.04.2026 00:52 Sources 1

About this happening: The **FakeWallet** app set turned the **Apple App Store** into a delivery channel for **26 malicious wallet lookalikes**, putting crypto holders at risk of account takeover and th...

OpenAI rotates macOS code-signing certificates after supply-chain exposure

Security Tool/Service
H score12 First: 13.04.2026 20:39 Last: 13.04.2026 20:39 Sources 1

About this happening: **OpenAI** is **rotating and revoking macOS code-signing certificates**, forcing users of **ChatGPT Desktop**, **Codex**, **Codex CLI**, and **Atlas** to update so trust in signed...

Timeline

  1. 24.12.2025 18:23 2 articles · 6mo ago

    MacSync signed Swift dropper discovery

    Initial Disclosure

    Researchers identified a new MacSync macOS information stealer variant delivered through a digitally signed, notarized Swift application masquerading as a messaging app installer to bypass Apple Gatekeeper checks. The sample was distributed as "zk-call-messenger-installer-3.9.2-lts.dmg" from zkcall[.]net/download, used a large 25.5 MB DMG with embedded PDF documents, and prompted users to right-click and open the app. The dropper performed connectivity and execution checks, enforced an execution interval of roughly 3600 seconds, removed quarantine attributes, and fetched an encoded payload with modified curl flags and dynamic variables. The decoded payload corresponded to MacSync, a rebranded version of Mac.c that first emerged in April 2025, and Moonlock Lab said the family includes a Go-based agent with remote command-and-control capabilities. Apple revoked the code signing certificate after discovery.

    Show sources