Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

MacSync macOS information stealer variant delivered via signed Swift app

Malware Activity
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

A new MacSync malware variant is being delivered through a digitally signed, notarized Swift app disguised as a messaging installer, raising the risk of Gatekeeper bypass on macOS systems. The dropper uses updated fetching and validation steps, and the payload now includes a Go-based agent with remote command-and-control capabilities. The sample was hosted as zk-call-messenger-installer-3.9.2-lts.dmg on zkcall[.]net/download, and Apple revoked the signing certificate after discovery.

Related Happenings

SHub Reaper macOS infostealer variant

Malware Activity
First: 19.05.2026 00:42 Last: 19.05.2026 00:42 Sources 1

About this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...

Open Happening

FakeWallet Apple App Store wallet-stealing apps

Malware Activity
First: 21.04.2026 00:52 Last: 21.04.2026 00:52 Sources 1

About this happening: The **FakeWallet** app set turned the **Apple App Store** into a delivery channel for **26 malicious wallet lookalikes**, putting crypto holders at risk of account takeover and th...

Open Happening

OpenAI rotates macOS code-signing certificates after supply-chain exposure

Security Tool/Service
First: 13.04.2026 20:39 Last: 13.04.2026 20:39 Sources 1

About this happening: **OpenAI** is **rotating and revoking macOS code-signing certificates**, forcing users of **ChatGPT Desktop**, **Codex**, **Codex CLI**, and **Atlas** to update so trust in signed...

Open Happening

Atomic Stealer (AMOS) macOS ClickFix Script Editor activity

Malware Activity
First: 09.04.2026 14:20 Last: 09.04.2026 14:20 Sources 1

About this happening: A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...

Open Happening

Apple iOS outdated-device exploit-kit mitigation advisory

Advisory/Mitigation
First: 20.03.2026 07:16 Last: 20.03.2026 07:16 Sources 1

About this happening: **Apple** is sending **Lock Screen notifications** to **outdated iPhones and iPads** after detecting **active web-based attacks**, urging users to install updates. The latest noti...

Open Happening

Timeline

  1. 24.12.2025 18:23 2 articles · 5mo ago

    MacSync signed Swift dropper discovery

    Initial Disclosure

    Researchers identified a new MacSync macOS information stealer variant delivered through a digitally signed, notarized Swift application masquerading as a messaging app installer to bypass Apple Gatekeeper checks. The sample was distributed as "zk-call-messenger-installer-3.9.2-lts.dmg" from zkcall[.]net/download, used a large 25.5 MB DMG with embedded PDF documents, and prompted users to right-click and open the app. The dropper performed connectivity and execution checks, enforced an execution interval of roughly 3600 seconds, removed quarantine attributes, and fetched an encoded payload with modified curl flags and dynamic variables. The decoded payload corresponded to MacSync, a rebranded version of Mac.c that first emerged in April 2025, and Moonlock Lab said the family includes a Go-based agent with remote command-and-control capabilities. Apple revoked the code signing certificate after discovery.

    Show sources
    Open in new tab