MacSync macOS information stealer variant delivered via signed Swift app
Malware Activity
Summary
Hide ▲
Show ▼
A new MacSync malware variant is being delivered through a digitally signed, notarized Swift app disguised as a messaging installer, raising the risk of Gatekeeper bypass on macOS systems. The dropper uses updated fetching and validation steps, and the payload now includes a Go-based agent with remote command-and-control capabilities. The sample was hosted as zk-call-messenger-installer-3.9.2-lts.dmg on zkcall[.]net/download, and Apple revoked the signing certificate after discovery.
Related Happenings
MacOS XPC cached signature trust privilege escalation privilege-escalation flaw
Vulnerability
H score23
First: 25.06.2026 14:00
Last: 25.06.2026 14:00
Sources 1
About this happening:
**macOS XPC trusted software verification** lets a **non-root user** abuse cached signature trust to call privileged helper functions without authentication, opening a route to **...
MacOS XPC cached signature trust privilege escalation privilege-escalation flaw
VulnerabilityAbout this happening: **macOS XPC trusted software verification** lets a **non-root user** abuse cached signature trust to call privileged helper functions without authentication, opening a route to **...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical Analysis
H score23
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
About this happening:
**macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical AnalysisAbout this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
SHub Reaper macOS infostealer variant
Malware Activity
H score23
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
FakeWallet Apple App Store wallet-stealing apps
Malware Activity
H score8
First: 21.04.2026 00:52
Last: 21.04.2026 00:52
Sources 1
About this happening:
The **FakeWallet** app set turned the **Apple App Store** into a delivery channel for **26 malicious wallet lookalikes**, putting crypto holders at risk of account takeover and th...
FakeWallet Apple App Store wallet-stealing apps
Malware ActivityAbout this happening: The **FakeWallet** app set turned the **Apple App Store** into a delivery channel for **26 malicious wallet lookalikes**, putting crypto holders at risk of account takeover and th...
OpenAI rotates macOS code-signing certificates after supply-chain exposure
Security Tool/Service
H score12
First: 13.04.2026 20:39
Last: 13.04.2026 20:39
Sources 1
About this happening:
**OpenAI** is **rotating and revoking macOS code-signing certificates**, forcing users of **ChatGPT Desktop**, **Codex**, **Codex CLI**, and **Atlas** to update so trust in signed...
OpenAI rotates macOS code-signing certificates after supply-chain exposure
Security Tool/ServiceAbout this happening: **OpenAI** is **rotating and revoking macOS code-signing certificates**, forcing users of **ChatGPT Desktop**, **Codex**, **Codex CLI**, and **Atlas** to update so trust in signed...
Timeline
-
24.12.2025 18:23 2 articles · 6mo ago
MacSync signed Swift dropper discovery
Initial DisclosureResearchers identified a new MacSync macOS information stealer variant delivered through a digitally signed, notarized Swift application masquerading as a messaging app installer to bypass Apple Gatekeeper checks. The sample was distributed as "zk-call-messenger-installer-3.9.2-lts.dmg" from zkcall[.]net/download, used a large 25.5 MB DMG with embedded PDF documents, and prompted users to right-click and open the app. The dropper performed connectivity and execution checks, enforced an execution interval of roughly 3600 seconds, removed quarantine attributes, and fetched an encoded payload with modified curl flags and dynamic variables. The decoded payload corresponded to MacSync, a rebranded version of Mac.c that first emerged in April 2025, and Moonlock Lab said the family includes a Go-based agent with remote command-and-control capabilities. Apple revoked the code signing certificate after discovery.
Show sources
- New MacSync macOS Stealer Uses Signed App to Bypass Apple Gatekeeper — thehackernews.com — 24.12.2025 18:23
- New MacSync macOS Stealer Uses Signed App to Bypass Apple Gatekeeper — thehackernews.com — 24.12.2025 18:23